Internet threat news

Most countries have some form of legislation detailing how corporations, state departments, and in certain instances, private individuals must make cybersecurity a priority. These pieces of legislation more often than not specify how data and networks are to be protected and if not done according to legislation how the powers that be can punish those found to be negligent. This punishment is often meted out in the form of massive fines, which can easily hit the hundreds of millions mark. For the first in time in United States legal history, twelve states have jointly filed a lawsuit in a data breach case. The twelve states have filed a lawsuit in accordance with the Health Insurance Portability and Accountability Act (HIPAA) in response to a data breach which occurred in 2015. HIPAA is a piece of legislation enacted in the US that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyber attacks and ransomware attacks on health insurers and providers. Compliance with the law is seen as non-negotiable with legislators and the relevant enforcement bodies.

Law enforcement agencies and security firms the world over constantly advice victims of ransomware not to make payment. Despite this well-meaning advice payments are still made. It is estimated that the authors of the SamSam ransomware netted nearly 6 million USD. If you made a payment to the crew behind SamSam you will want to read further as the payment made may violate US sanctions. Towards the end of November 2018, the American Department of Justice (DoJ) announced the first ever instance of an indictment against criminal actors for deploying a for-profit ransomware, hacking, and extortion scheme for the department. According to the indictment, Faramarz Shahi Savandi, and Mohammad Mehdi Shah Mansouri, both operating in Iran, authored and deployed the SamSam ransomware. The subsequent attack encrypted files on computers belonging to US hospitals, schools, companies, government agencies, and other entities.

Malware leveraging AutoCAD is not a new phenomenon, however, while not new it is rare when compared to other malware infections. Researchers at Forcepoint have discovered a unique AutoCAD malware strain been used in a cyber-espionage group. For those who have never come across AutoCAD, the CAD stands for Computer Assisted Design and has played a vital role in the past decades building our technology-driven society, helping structures and engineering reach new levels of complexity. Designing a building such as the Burj Khalifa by hand would be difficult if not impossible hence AutoCAD has come to be a crucial piece of software for engineering firms across the globe.

According to the report published by the firm the campaign appears to have been active since 2014, based on telemetry data the company has analyzed. Further Forcepoint believes the group behind this recent campaign is most likely very sophisticated and primarily interested in industrial espionage, due to its focus on using a niche infection vector like AutoCAD, a very expensive piece of software, utilized mainly by engineers and designers.

It seems like nearly every week, sometimes every few days, security researchers discover a new crypto miner. The latest discovery is not only a crypto miner also installs a rootkit and another strain of malware that can execute DDoS attacks. Malware targeting Linux users is not as common an occurrence as Windows-based malware strains but as time goes by they appear to become far more complex and multi-functional. Security researchers at Dr.Web, a Russian based security firm, discovered the malware which as of yet has not been named. As it stands the malware is referred to by its generic detection name of Linux.BtcMine.174.

Calling the miner a crypto miner is incorrect. The malware is probably best described as a trojan given its multi-faceted nature. The trojan can be seen as a good example of the evolution currently seen in Linux malware as despite its generic name it more complex than the majority of Linux malware strains detected. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it writes permissions so it can copy itself and later use to download other modules.

The day after Thanksgiving in the United States has become known as Black Friday and has become defined by mad shopping for discounted products. The term may have originated in Philadelphia in the 1960s, where it was used to describe the heavy and disruptive pedestrian and vehicle traffic that would occur on the day after Thanksgiving. Now it is defined by stampedes at retail shops like Target and Best Buy plastered on the news. It is not only at brick and mortar stores can consumers get injured. Online shopping on Black Friday can be equally as dangerous to consumers, more accurately their bank balance.

The dangers posed to consumers are those normally faced by online purchases, only given the sheer increase in traffic cybercriminals have a greater chance of catching consumers out. The prime tool used to steal information from consumers are Banking Trojans. A banking trojan can be defined as a piece of malware designed to get financial information or hack users through a banking or financial system, commonly through an online banking or brokerage interface. They can work in a variety of ways by either seeding code into bank websites or through intercepting passwords or information through the use of keyloggers.

The group behind the malware dubbed Olympic Destroyer, which plagues the Korean Winter Olympics at the start of the year, seem to have upgraded their arsenal. Researchers at Check Point believe the group is in the process of an evolutionary shift in terms of tactics and execution. Researchers over the past few weeks have witnessed new activity by the group called Hades. By analyzing samples previously observed by other researchers and the newly discovered samples researchers have attempted to create a more up to date summary of the group’s tactics. For advanced persistent threat (APT) groups a month is a long time and more than enough time to change tactics. It has been approximately nine since Olympic Destroyer made international headlines.

The incident in question occurred just before the opening ceremony of the Winter Olympics hosted by South Korea. The attack caused the official games website to go dark. In addition, television sets and Internet-related systems at the games were also disrupted for roughly 12 hours. The attack was dubbed Olympic Destroyer, with many believing it was a result of the banning of Russia and its athletes from competing in the games under the Russian flag. The decision to ban Russia was a result of the country’s involvement in a state-sponsored doping campaign. For many within the InfoSec community, the Olympic Destroyer attack was in retaliation of the banning decision.

The year so far has been a punishing one for security firm Kaspersky. Continued clashes with US authorities has resulted in the company changes tactics and limit damage control. At a summit in Zurich, Switzerland, the embattled company held a conference on Tuesday, November 12, 2018, called Transparency Summit in a bid to convince the public they are a firm to be trusted. The summit highlighted the development of the company’s Global Transparency Initiative (GTI), announced in May of this year, which has resulted in the company moving operations from Moscow to Zurich with planned centers set for establishment across the globe. The summit also warned of the emergence of what Kaspersky calls “Tech Nationalism.” The summit and the transparency initiative have been the culmination of events that started with an article published in the Wall Street Journey in late 2017.

Malware designed to mine cryptocurrencies, more often Monero due to the platforms increased anonymity, are increasing in use and sophistication. The malware referred to as crypto miners, or crypto-jacking , use the infected victims CPU resources to mine for cryptocurrencies. The attackers rely on infecting as many devices as possible in order to turn some impressive profits. Researchers at TrendMicro have detected two new crypto miners with each targeting Linux and Windows users respectively. The latest miner to be discovered by researchers has been called KORKERDS. In a blog article published by TrendMicro discovered the strain mining cryptocurrencies on Linux computers. The interesting thing about KORKERDS is that unlike regular crypto miners, the malware employs a rootkit to assist in hiding itself. A rootkit is commonly seen as a program or collection of tools that give the attacker remote access to and control over a computer or other system. Rootkits are also used, as in the case KONKERDS, to prevent detection of the malware.

Artificial Intelligence, generally referred to simply as AI, has the potential to revolutionize numerous industries. It has the potential for making numerous forms of employment redundant, a much argued economic side effect impacting on those made redundant. At its best, it could drastically improve the lives on the planet. These assumptions look at AI what it can potentially do when there is no malice behind their actions. How then could AI change the nature of cyber threats? Before that question can be looked at it is wise to look at what AI currently is and how it is defined. There are a lot of misconceptions circulating the subject. Some prophesize the technology to be the end of the world while others see it as a technology to take humanity to the next step. Both Stephen Hawking and Elon Musk have previously voiced their concerns over the technology.

It has almost been a week since Apple unveiled the new MacBook Air in Brooklyn, New York, the reveal was important for another reason. Apple further revealed that all new notebooks that come with a built-in T2 security chip will now disconnect the built-in microphone at the hardware level when users close their devices' lids. This new feature can be seen as a security enhancement designed to prevent malware from secretly recording users. Secretly recording user conversations using the webcam, for example, has become a staple feature of many spyware and other malware variants over the last several years. While Apple doesn't like to talk about malware, recently there are quite a few browser hijackers (for example weknow.ac, nvsearch.club), potentially unwanted applications (for example advanced mac cleaner, mac cleanup pro) and adware (for example CoinTicker, MacOSDefender) targeting Mac OS operating system.

The group behind the Emotet trojan developing a reputation for deploying the malware as a banking trojan. Not content to be a one trick pony those behind the malware are continually developing the trojan. In the latest iteration of Emotet a module has been included that is capable of stealing a victim's emails for the previous six months. In previous versions, Emotet could be only capable of stealing email addresses. The new updates open up the possibility of data theft and corporate espionage for the cybercriminals. To further complicate matters the new capability can be deployed on any system that is already infected by the malware.

Hackers offering Malware-as-a-Service (Maas) is not a new trend by any means. Since the first detections of such schemes, their popularity has not seemed to dwindle of the years. This is in part because they allow those less technically minded, or too lazy to develop their own malware, with an option to make a quick buck, albeit an illegal one. MaaS can be defined as the hiring of software and hardware for carrying out cyber attacks. In a majority of instances, the owners of MaaS servers provide paid access to a botnet that distributes malware. Like their more legal cousins, clients of such services are offered a personal account through which to control the attack, as well as technical support.

Security researchers at Fortinet have published details on a recently discovered DDoS-for-hire service built with leaked code that offers easy and cheap access to sufficient power to knock down most targets. Distributed Denial of Service (DDoS) attacks is an attack in which multiple compromised devices attack a target simultaneously, such as a server, website, or other network resources, and cause a denial of service for users. DDoS businesses have been around for quite a while, with the sheer amount of mobile devices it is more common for these to be used to drive attacks.

Last week this publication published an article detailing the show of sympathy from the GandCrab ransomware developers to the people of Syria who had been infected. This show of sympathy took the form of the developers releasing the decryption keys for Syrians infected with GandCrab. On the face of it, the show of goodwill did appear as one. Unfortunately, while the keys were released there was now decryptor available to those infected with the ransomware. This meant that the keys were useless for most of the Syrians affected.

If you were of any other nationality you were truly out of luck as you had no decryption tool or key to help decrypt your encrypted files. That was the state of affairs till October 25. Announced via a Europol press release the law enforcement body stated that in a collaborative effort by Romanian police, with counterparts from Bulgaria, France, Hungary, Italy, Poland, the Netherlands, United Kingdom, United States and the security firm Bitdefender a decryption tool had been developed. Importantly the tool works on all but two versions of GandCrab (v 2 and 3). The release of this tool follows a week after the GandCrab developers made public decryption keys allowing only a limited pool of victims located in Syria to recover their files.

Security Researchers at FireEye have tracked the development of Triton to a research institute owned by the Russian government. In a report published on Tuesday 23 October, researchers claim that they have uncovered a strong link between the Triton malware and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government. Triton, which has also been called Trisis and Hatman, was used in a campaign targeting Industrial Control Systems (ICS) in the Middle East. Industrial Control Systems are extensively used in industries such as chemical processing, paper manufacture, power generation, oil and gas processing, and telecommunications.