Internet threat news

When news broke about the Spectre and Meltdown vulnerabilities at the start of 2018 a lot of fuss was made as to how potentially dangerous these vulnerabilities were if exploited correctly. The fuss may have been justified as it may have provoked people to update their systems when patches were released. Even if you are not Nostradamus you could predict that a similar vulnerability would grab headlines for the danger it posed. That vulnerability did come forth in May of this year, CVE-2019-0708, named BlueKeep. The jury is still out on whether it needed the attention given to it and whether it posed the danger, namely been wormable, as advertised. Microsoft is still warning users that the threat is real and can be leveraged in dangerous attacks.

The tried and tested method of distributing malware via phishing campaigns have always used a variety of tactics to trick users into downloading malware. Whether they entice clicks by tricky the user into believing they have won something or emails sent to business appearing like invoices, there is no end to hackers attempts and imagination. A new campaign has been spotted targeting employees in the insurance and retail industries, sending emails that appear to be from the UK Ministry of Justice but in reality contain a piece of information stealing malware.

The campaign was discovered by security firm Cofense who published their findings via their blog. Researchers discovered emails that contained the Ministry of Justice logos and had the subject name court. The content of the email claims to have information relating to a court case, in this specific instance the email states it contains information relating to “Your Subpoena”. The shock tactics continue in that the email instructs the user to click the provided link as they are provided to attend a court of law and must comply within 14 days. Other than that there is no information pertaining to the legal matter or which court they are required to attend. It is easy to see why such tactics could scare someone into clicking the link. Finding out you’ve been summoned to court for whatever reason is a stressful affair.

The list of high profile companies and government departments hit by ransomware infections continues to grow at an alarming rate. Last week this publication covered how the City of Joburg municipality of Johannesburg South Africa was hit by hackers demanding a ransom. Although it seems no specific piece of ransomware was used, it illustrates why hackers are looking to target companies and government departments. This week it emerged that both a Spanish IT provider, Everis​ an NTT DATA company, better described as a managed services provider (MSP) and Cadena SER (Sociedad Española de Radiodifusión), Spain’s largest radio station, both suffered ransomware attacks resulting in file encryption.

Since the operators of GandCrab ceased operations, a void in the Malware-as-a-Service sector was left open. Since proving how effective it could be to rent out ransomware as well as partner up with other cybercriminal syndicates to improve distribution, for example, other malware authors have been left looking to follow the business plan developed by GandCrab. To a greater or lesser extent, many have looked to emulate the GandCrabs notion of Ransomware-as-a-Service (RaaS), to varying levels of success. One such scheme is currently been deployed by those behind the Nemty ransomware.

First discovered by researchers in August, Nemty is new to the ransomware party currently dominated Ryuk and .STOP. This has not discouraged the malware authors, who even were quite heavily criticized on underground hacking forums. This did not discourage them it seems and the ransomware has gone through several changes and updated versions. Now they have found a new partner in helping distribute the ransomware, further helping the operators develop their RaaS business model. According to research published by Symantec, those behind Nemty have partnered with the operators of the Trik botnet, also referred to as Phorpiex, to help spread the new ransomware. Trik is a veteran malware when compared to Nemty and has been operating for at least 10 years. IN those 10 years the malware has been used to spread numerous other malware variants including GandCrab.

On Monday 28, 2019, news began emerging on Twitter that the Kudankulam Nuclear Power Plant (KNPP) might have been infected with a dangerous strain of malware. Pukhraj Singh, a former security analyst for India's National Technical Research Organization (NTRO) and researcher closely following the matter, concluded that a recent VirusTotal upload was linked to a malware infection at the KNPP. Initially, the KNPP denied that they had suffered a security incident. Matters were not helped by the station experiencing a shutdown of one of the reactors leading to the public to conclude incorrectly that malware incident was related to the shutdown.

Initially, the power plant responded saying the incident amounted to “false information”, however, in a separate statement released on October 30, the power plant admitted they had indeed suffered a cybersecurity incident. While the power plant stuck its head in the sand numerous researchers were analyzing the sample uploaded to VirusTotal. Several researchers that the malware used was DTrack a custom trojan developed and deployed by the Lazarus Group. For those needing a reminder, Lazarus is probably North Korea’s top state-sponsored hacking group responsible for the theft of millions of dollars.

While not one of the Republic of South Africa’s capitals, Johannesburg is the country’s largest city in terms of size, populace, and GDP contribution. The city now has another less pleasant feather in its cap, the city has now experienced a novel method of cyber-attack. On October 24, the City announced that it had suffered a cybersecurity incident. Taking to Twitter, city officials announced that the municipal authority, City of Joburg, had suffered a security breach, as a result, many of the municipality’s e-services had been taken offline and residents were unable to access certain services with officials stating,

“The incident is currently being investigated by City of Joburg cybersecurity experts, who have taken immediate and appropriate action to reinforce security measures to mitigate any potential impacts. As a result of several customer-facing systems — including the city’s website, e-services and billing systems — have been shut down as a precaution.”

For many, the advent of home speakers like Amazon’s Alexa and Google Home were must-have tech devices. Their simplicity centered round voice activation technology was hailed in some corners. In other more skeptical corners, privacy concerns dominate the debate. For security researchers searching for vulnerabilities and flaws were just part of their daily job. In 2018, some of these flaws were brought to the public’s attention with both Amazon and Google looking to solve the problems. Now, researchers working with SR Labs have published their findings detailing how the popular home speaker devices can be used for phishing and eavesdropping by threat actors.

Both of the phishing and eavesdropping attack vectors discovered center around the backends provided by the tech giants for developers to develop apps. The backend provided allows developers to create apps that allow the hardware to respond to certain commands. Often these commands are customizable so developers can create unique apps serving numerous needs. What researchers discovered is that by adding the Unicode symbol U+D801, dot, space which is represented as “�” graphically, can be inserted into certain locations within the backend which induce long periods of silence despite the speaker still being active.

Before the Czech security firm Avast acquired Piriform, the company which developed and maintained the popular registry cleaner CCleaner, the popular product had been compromised. The compromise occurred in 2017 before Avast acquired the popular product, with later analysis revealing that the infamous APT group sometimes called Deputy Dog but often referred to simply as APT 17 was behind the attack, deploying their Floxif malware via CCleaner downloads. Avast’s handling of the incident was seen by many as what should be the textbook response to such incidents.

Now, Avast gets a second chance to show that their response wasn’t a fluke and being open and honest regarding business compromises is the best approach despite the PR nightmare that inevitably ensues. In a blog post published it was revealed that the security firm was forced to counter another attack targeting the registry cleaner. According to the security firm suspicious activity was detected on September 23. Working in collaboration with the Czech intelligence agency, Security Information Service (BIS), it was discovered that the attackers gained access to the company via a compromised internal VPN owned by the company. Again, the attackers looked to target CCleaner and spread malware through compromised downloads of the registry cleaner.

The US Department of Justice (DoJ) announced that through the cooperation of US, South Korean, and other law enforcement agencies across the globe, they have managed to take down a Dark Web child pornography website along with the arrest of the individual running the site. Further, the DoJ rescued several minors who were actively being abused by contributors to the website. According to the announcement the officials managed to seize approximately eight terabytes of material involving the exploitation of minors as well as further arresting more than 300 people worldwide involved with the website in one form or the other.

If you have installed a program called JMT Trader to facilitate cryptocurrency trades you got far more than you bargained for. Last week the MalwarehunterTeam discovered a scam developed to distribute malware to both Mac and Windows machines. The scammer created a fake company to distribute a free cryptocurrency trading platform called JMT Trader. Once installed the trading platform would further install a backdoor trojan onto the machine.

Central to the scam is the website created by the attacker. It looks like any professionally done website, hoping to trick people who landed on it into downloading the free program the “company” offers. To further trick users and give the fake company some more legitimacy, the attackers also created a Twitter account, but have done little to maintain it or make it appear active. The last tweet on the account dates back to June 2019. If the user is looking to download the trading platform they are redirected to a GitHub repository where both Mac and Windows executables can be downloaded. The repository also contains the source code to the platform for those wishing to compile the code for Linux. At this stage, nothing appears to suggest any malware or malicious intent on the behalf of the attacker.

In a warning issued by the Federal Bureau of Investigation’s (FBI) cyber division private industries have been warned about attack able to bypass multi-factor authentication (MFA). According to the law enforcement agency, this is done through a combination of social engineering and SIM Swapping tools elaborated upon at a developer conference in June 2019. The warning specifically warns private industries and individuals about attacks using SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser. These tools when used in conjunction correctly can bypass soft forms of MFA, with the first being able to intercept login credentials and the later storing the data and hijacking the session cookie to log into now compromised accounts.

Since the first Magecart style attacks were detected in 2010 there have been over 2 million detections since then. These attacks continue to rise presenting a greater danger to online shopper unaware their credit card information can be stolen from their favorite eCommerce websites. Rather than Magecart representing one group or one specific piece of malware it has come to represent a unique attack tactic. Numerous groups are currently deploying Magecart style attacks in varying degrees of skill, some more advanced than others. The most infamous Magecart attack involved the breach of British Airways were the credit card data of nearly 400,000 customers were compromised.

A Magecart involves a hacker targeting the shopping cart systems found on eCommerce websites. The process of stealing the credit card data is known by as skimming and is done by the hacker injecting code, sometimes as little as 22 lines, into the cart's code. The code, often written in JavaScript is loaded when a customer attempts to checkout. The code then copies the credit card data entered by the customers and sent to the hacker’s command and control server.

Exposed databases are becoming an increasing problem for the public. In a recent report published by Comparitech, along with Bob Diachenko, an exposed server exposed the personally identifiable information (PII) of over 20 million Russian nationals. PII is most commonly seen as any data that could lead to the identifying of the individual, credit card information, identity number, medical records, and social security numbers are all examples of PII. The sensitive information was exposed from 2009 to 2016 and formed part of an Amazon Web Services (AWS) Elasticsearch cluster. The cluster in question was not protected by any form of encryption or password protection.

Within the cluster, devoid of any form of security, researchers discovered multiple databases. It was two of these databases that would have been of particular interest to any hacker and in turn the researchers. The two databases contained PII and tax information belonging to individuals. This information could be used in targeted phishing attacks or identity theft campaigns.

For some time numerous nation-state actors have realized the power of effective disinformation campaigns. APT groups like Fancy Bear have long realized that including a disinformation campaign along with other operations can influence political events. The Democratic National Committee, along with the US Presidential Campaign incidents can be seen as a benchmark other nation-state actors would look to copy. However, it is not only nation-state actors who have seen potential value in disinformation campaigns, now hackers and other cyber-criminal organizations have begun advertising their skills in conducting such a campaign.

Disinformation campaigns typically involves the abuse of social media platforms to disseminate fake news articles designed to further the attacker’s goal. According to research published by Recorded Future researchers discovered hackers offering disinformation services on Dark Web forums. According to the researchers two separate hackers were seen advertising and conducting such campaigns in exchange for a fee.