Internet threat news

Phishing, namely the fraudulent attempt to gain an individual's personal information or credit card information via the use of emails and fake websites, continues to be a favored tactic employed by hackers to part users with money and information that can be used for identity theft. In a recent blog post has revealed three of the more cunning phishing operations they discovered for the year of 2019.

Over the years protections against phishing have increased and become incredibly effective, preventing billions of malicious phishing emails from reaching end-users. This has in a sense created an arms war between cybercriminals and those looking to secure machines and networks. Researchers at Windows’ Office 365 Advanced Threat Protection noticed an escalation in the tactics used as well as techniques involving the abuse of legitimate cloud services like those offered by Microsoft, Google, Amazon, and others. The first cunning case study involves the use of URLs that point to legitimate but compromised websites.

New and novel ways to further a malware main objectives do not happen too often. Hackers prefer to use tried and tested means to distribute and deploy malware. Even the development of new malware is generally done by veteran groups of hackers with a certain skillset. When a new trick is seen interest is raised accordingly amongst researchers and journalists. The trick that has gotten all the attention lately was created by the malware authors behind the Snatch ransomware. The trick involves rebooting the infected machine into Safe Mode and then encrypting files. This is done in an attempt to avoid detection.

In a recent report published by Sophos, researchers noted that the trick works because some antivirus packages do not start in Safe Mode, the mode is used to recover from a corrupted operating system. This is likely the first time such a tactic has been seen in the wild. This is novel for a second reason as the majority of malware currently circling the Internet does not persist on the machine after a reboot, meaning Snatch has been designed to persist and function after the machine has been rebooted in Safe Mode.

After a two year hiatus the botnet, named Great Cannon, has been resurrected back to life to carry our DDoS attacks. A distributed denial of service (DDoS) attack is a malicious attempt to disrupt the traffic heading to a server, network, or website by flooding the infrastructure with traffic. This is done by utilizing compromised machines, referred to as sometimes as bots, to continually send requests to the target. Another method used to carry out the attacks is to intercept other legitimate traffic and then redirecting that traffic towards the victim. This works by essentially causing a traffic jam as the server cannot deal with all the requests and cannot deal with legitimate traffic denying users the service offered.

Great Cannon was last seen in 2017 when Chinese authorities used it for DDoS attacks against Mingjingnews.com, a New York-based Chinese news site. Now the DDoS botnet is been used to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests. Great Cannon made a name for itself when it was used to attack GitHub and GreatFire.org. GitHub was targeted for hosting tools to aid Chinese users to bypass China's national firewall, while GreatFire.org was targeted because it exposes internet censorship across the globe.

Researchers have discovered a new remote access trojan (RAT), that is currently being used to steal login credentials, record video, and includes a keylogging component to assist in its objectives. Given the amount of news surfacing regarding ransomware and exploit kits most can be forgiven if they forgot RATs are still a threat. A RAT forms part of the trojan family of malware and includes a backdoor which grants administrative control of the machine infected. RATs tend to be downloaded invisibly via a user-requested program. They are also difficult to detect because they usually don't show up in lists of running programs or tasks. The actions they perform can be similar to those of legitimate programs. Furthermore, an intruder will often manage the level of resource use so that a drop in performance doesn't alert the user that something's amiss.

Cryptocurrency exchanges have been a target for hackers wanting to get their hands on cryptocurrency when they first began offering their services. Now, according to a statement made by Upbit, a South Korean cryptocurrency exchange, they have suffered a 48.5 million USD loss as a result of hackers. On November 27, 2019, the company suspended all deposit and withdrawal services, stating 342,000 in Ethereum (ETH) had been stolen from one of the companies Upbeat Ethereum hot wallets to a previously unknown wallet address.

According to Lee Seok-woo, chief executive of Doo-myeon, the operators of Upbit, the attack took place at 1:06 pm Korean time on November 27. Other than that very little is known as to the nature of the attack as well as who may be behind the attack. However, the wallet used by the hackers could be traced and showed that the stolen Ethereum was done over the course of 17 transactions. At the time of writing the cryptocurrency was still in the wallet. In the statement, Leon Seok-woo stated that Upbit assets will cover the stolen funds and customers will not be impacted beyond an estimated two-week timeframe for deposit and withdrawal services to resume. It was further noted that any cryptocurrency that was still in the affected hot wallet had been transferred to a cold wallet not connected to the Internet.

Exploit kits like RIG and Fallout made news headlines for being associated with the distribution of Sodinokibi and GandCrab respectively. By been used to distribute some of ransomware's biggest players researchers have noted a rise in popularity of other hackers and malware authors using exploit kits to drop other forms of malware onto unsuspecting victims. This popularity seems to have driven another evolution in the history of exploit kits in that three out of nine exploit kits analyzed by researchers have migrated to being fileless.

When asked to think of a botnet, any botnet, many researchers and journalists will list Emotet. The botnet is, without doubt, one of the more dangerous Botnets seen in recent memory. Been used to distribute the Ryuk ransomware will most certainly grab headlines and the attention of those who made cybersecurity their careers. A new botnet recently discovered, called Roboto, will also look to dominate headlines in the near future. Not for features it boasts but rather the network infrastructure behind it.

Typically in the past Botnets were seen as a collection of internet-connected devices turned into bots by malware to run DDoS attacks, steal data, and send spam. Newer botnets can also be seen distributing other forms of malware, like in the case of Emotet. Traditionally, most botnet operations have been associated with carrying out DDoS attacks, however, as hackers saw that their botnets could be used for other purposes they looked to add a raft of features to run multiple applications.

On November 14, 2019, US retail giant Macy’s announced that it had suffered a data breach. The breach appears to be the result of another Magecart attack, with Macy’s now be added along with British Airways to a list of high profile Magecart attacks. In a Magecart attack, the hacker targets the shopping cart feature on an eCommerce website. The hacker injects malicious code into the function which allows the hacker to skim credit card details and send them to a command and control server. In the Macy’s incident malicious code was added both to the checkout and shopping cart pages which allowed the hacker to steal even more customer information.

According to the announcement, the checkout and cart pages were hacked on October 7 with the hack only been detected on October 15. This means that for a week any details entered on the compromised pages could have been collected by the hacker. The attackers in this instance were able to access customer information and credit card information that includes the customer's first name, last name, address, city, state, zip, phone number, email address, payment card number, CVV number, and card expiration details. The retail giant noted,

Hospitals around the world have a lot on their plate, dealing with life-threatening emergencies and illnesses on a minute to minute basis. Increasingly hospitals also now have to fend off another kind of virus, that of malware and in particular trojans. Due to the incredibly sensitive patient information stored on a hospital's network, they have become juicy targets for hackers, with some trying their utmost to gain access to those networks. Malwarebytes recently released a report titled Cybercrime tactics and techniques: the 2019 state of healthcare which paints a pretty worrisome picture of the battle raging on hospital networks.

Some of the report's key takeaways have been highlighted in a blog post for those not wanting to read the entire report. What researchers have determined is that the increase in attacks on hospitals is been driven by numerous factors, with one such factor being that hospitals are often guilty of not securing sensitive data correctly making it easier for hackers to steal. Other factors include exploiting vulnerabilities found on legacy software which remains unpatched and the effective use of social engineering to get hospital staff to unknowingly download malware. Researchers also found that no matter the size of the healthcare institution it would be targeted, whether small private hospitals to far larger healthcare enterprises.

When news broke about the Spectre and Meltdown vulnerabilities at the start of 2018 a lot of fuss was made as to how potentially dangerous these vulnerabilities were if exploited correctly. The fuss may have been justified as it may have provoked people to update their systems when patches were released. Even if you are not Nostradamus you could predict that a similar vulnerability would grab headlines for the danger it posed. That vulnerability did come forth in May of this year, CVE-2019-0708, named BlueKeep. The jury is still out on whether it needed the attention given to it and whether it posed the danger, namely been wormable, as advertised. Microsoft is still warning users that the threat is real and can be leveraged in dangerous attacks.

The tried and tested method of distributing malware via phishing campaigns have always used a variety of tactics to trick users into downloading malware. Whether they entice clicks by tricky the user into believing they have won something or emails sent to business appearing like invoices, there is no end to hackers attempts and imagination. A new campaign has been spotted targeting employees in the insurance and retail industries, sending emails that appear to be from the UK Ministry of Justice but in reality contain a piece of information stealing malware.

The campaign was discovered by security firm Cofense who published their findings via their blog. Researchers discovered emails that contained the Ministry of Justice logos and had the subject name court. The content of the email claims to have information relating to a court case, in this specific instance the email states it contains information relating to “Your Subpoena”. The shock tactics continue in that the email instructs the user to click the provided link as they are provided to attend a court of law and must comply within 14 days. Other than that there is no information pertaining to the legal matter or which court they are required to attend. It is easy to see why such tactics could scare someone into clicking the link. Finding out you’ve been summoned to court for whatever reason is a stressful affair.

The list of high profile companies and government departments hit by ransomware infections continues to grow at an alarming rate. Last week this publication covered how the City of Joburg municipality of Johannesburg South Africa was hit by hackers demanding a ransom. Although it seems no specific piece of ransomware was used, it illustrates why hackers are looking to target companies and government departments. This week it emerged that both a Spanish IT provider, Everis​ an NTT DATA company, better described as a managed services provider (MSP) and Cadena SER (Sociedad Española de Radiodifusión), Spain’s largest radio station, both suffered ransomware attacks resulting in file encryption.

Since the operators of GandCrab ceased operations, a void in the Malware-as-a-Service sector was left open. Since proving how effective it could be to rent out ransomware as well as partner up with other cybercriminal syndicates to improve distribution, for example, other malware authors have been left looking to follow the business plan developed by GandCrab. To a greater or lesser extent, many have looked to emulate the GandCrabs notion of Ransomware-as-a-Service (RaaS), to varying levels of success. One such scheme is currently been deployed by those behind the Nemty ransomware.

First discovered by researchers in August, Nemty is new to the ransomware party currently dominated Ryuk and .STOP. This has not discouraged the malware authors, who even were quite heavily criticized on underground hacking forums. This did not discourage them it seems and the ransomware has gone through several changes and updated versions. Now they have found a new partner in helping distribute the ransomware, further helping the operators develop their RaaS business model. According to research published by Symantec, those behind Nemty have partnered with the operators of the Trik botnet, also referred to as Phorpiex, to help spread the new ransomware. Trik is a veteran malware when compared to Nemty and has been operating for at least 10 years. IN those 10 years the malware has been used to spread numerous other malware variants including GandCrab.

On Monday 28, 2019, news began emerging on Twitter that the Kudankulam Nuclear Power Plant (KNPP) might have been infected with a dangerous strain of malware. Pukhraj Singh, a former security analyst for India's National Technical Research Organization (NTRO) and researcher closely following the matter, concluded that a recent VirusTotal upload was linked to a malware infection at the KNPP. Initially, the KNPP denied that they had suffered a security incident. Matters were not helped by the station experiencing a shutdown of one of the reactors leading to the public to conclude incorrectly that malware incident was related to the shutdown.

Initially, the power plant responded saying the incident amounted to “false information”, however, in a separate statement released on October 30, the power plant admitted they had indeed suffered a cybersecurity incident. While the power plant stuck its head in the sand numerous researchers were analyzing the sample uploaded to VirusTotal. Several researchers that the malware used was DTrack a custom trojan developed and deployed by the Lazarus Group. For those needing a reminder, Lazarus is probably North Korea’s top state-sponsored hacking group responsible for the theft of millions of dollars.