Internet threat news

The state-sponsored group DarkHotel has been an active thorn in the side of security firms since 2007, not to mention the victims of the group. The group has gone by many names, however, it has been much of the work done by Kaspersky Labs in analyzing the group’s activity that has led to DarkHotel sticking. Now, it would appear that the group has been conducting a massive hacking operation targeting Chinese government agencies across the globe. It is believed attacks began in March, looking to leverage the COVID-19 pandemic as a means to lure victims. Since the pandemic became a global emergency, hackers of all kinds, whether script-kiddies to advanced persistent threat (APT) groups have looked to take advantage of people’s fears regarding the disease. This trend is likely to continue as long as the pandemic rages across borders.

The latest campaign was discovered by Chinese security firm Qihoo 360, who subsequently published their findings in a blog post on April 6. Researchers discovered that the hackers used a zero-day vulnerability in Sangfor SSL VPN servers which is used to provide remote access to enterprise and government networks. Given that approximately 4 billion people are currently living under lockdown conditions due to the pandemic, the use of VPNs has increased as many still look to work remotely. This spike has led many hackers to look for flaws in VPN servers or incorrectly configured VPNs to exploit this spike in use. In practice, a VPN can be seen as a secure communication tunnel that extends a private network across public networks. This connection allows for devices separated by long distances to connect to servers on a company’s private network for example.

Since January 2020, various security firms have been tracking an active campaign spreading spyware. One of the reasons the campaign is noteworthy is that it is actively targeting iOS devices. The spyware, called LightSpy is distributed via watering hole attacks. These attacks involve the attacker looking to target specific groups of potential victims by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to a broader network. Some instances of these attacks the attacker looks to target popular websites. Once a website is found the attacker will begin to look for vulnerabilities in the websites HTML and JavaScript code which can then be leveraged to distribute malware.

The campaign distributing LightSpy differs in several ways to the traditional watering hole attack. One of the key differences is that the attackers created a website to mimic a popular website. In this instance researchers discovered that a clone of the news website Daily Apple, a popular website hosted in Hong Kong, was created to distribute LightSpy. To get users to visit the cloned website various links were posted on several platforms redirecting users to the clone website. Once the visitor accesses the website controlled by the attacker the site loads exploits onto the visitor’s device which subsequently installs LightSpy. More on the malware to follow.

It is not by any means new to say that hackers are looking to exploit the COVID-19 pandemic, despite the misery and loss of human life the disease has already caused, for their own benefit. At the start of February, this publication reported on several malware campaigns exploiting the health pandemic. As the situation has become worse globally so too has the number of campaigns increased looking to exploit panic sentiments and get users to unwittingly download malware. The latest example of such a morally apathetic campaign was discovered by researchers for IBM’s X-Force and involves the re-emergence of the Zeus Sphinx banking trojan.

Banking trojans typically are a family of malware designed to steal banking credentials in order to hijack accounts or sell stolen credit card details and other credentials on underground forums. In recent years many variants have upgraded their code to also hunt for cryptocurrency wallet credentials as this too has become a profitable market to exploit. One of the most well-known of these trojans is Zeus which was first detected in 2007 with widespread campaign making headlines in 2009. Eventually, Zeus’ code was leaked which in turn led to a whole host of other malware strains being created. One of those was Zeus Sphinx, sometimes also called Terdot and ZLoader, with the first major campaigns been tracked by IBM in 2017. However, the malware appears to have first emerged in 2015 and was subsequently sold on underground forums for 500 USD at the time.

When covering malware incidents it is exceedingly rare to refer to hackers using conventional mail services, sometimes often snidely referred to as snail mail, to carry out attacks. It is equally rare to cover attacks that utilize a malware-laced USB drive to infect computers. These attacks have been labeled BadUSB attacks by the infosec community, while rare they are not unheard of. In a recent report published by security firm Trustwave, a US hospitality provider has been the target of a BadUSB attack.

Given the rarity of these attacks often a quick Google search won’t reveal exactly what such an attack entails or even a solid definition. “BadUSB” has come to be an umbrella term used to describe any type of universal serial bus (USB) firmware attack. A better explanation of such an attack was given in a research paper published by the Canadian Center of Science and Education in 2017, titled “Bad USB MITM: A Network Attack Based on Physical Access and Its Practical Security Solutions”.

In a report published by FireEye, a worrying trend has emerged. The use of ready-made Industrial Control System (ICS) hacking tools has been on the rise lowering the skill entry barrier, not only for state-sponsored groups but novice and unskilled hackers as well to exploit and cause major disruptions. The number of these tools has been steadily growing resulting in the problem becoming more of an issue, with the threat demanding more attention to combat.

Industrial control systems can be defined as an information system designed with the specific purpose of controlling industrial processes. These processes include manufacturing, product handling, production, and distribution. Attacks on these systems can be particularly damaging as they have the potential to disrupt modern services we take for granted, be it the generation of electricity or water sanitation. Attacks on infrastructure can be disastrous but for businesses, they can result in massive losses. In April 2019, the now infamous Triton malware was used to target a petrochemical plant in Saudi Arabia.

Governments and companies are increasing lockdown measures to prevent the spread of COVID19, this has placed increase strain on governments as well as private industry. As has been seen and documented by this publication hackers and state-sponsored groups are looking to leverage the pandemic to better spread malware, exploiting people’s fears. For other gangs, it is business as usual. CERT (Computer Emergency Response Team) France has issued a warning that some local governments have been infected with a new version of Mespinoza ransomware.

The US Department of Health and Human Services (HHS) confirmed that it had experienced a cyber attack the previous Sunday, 15 March. This is particularly worrying as it comes at a time where both local and international health agencies are struggling to battle the ongoing spread of COVID-19, otherwise known as the Coronavirus. The incident was first reported by Bloomberg, in that article, an anonymous source was cited as saying the incident involved “multiple incidents” and appeared to be designed to slow the department’s systems. However, they did “not do so in any meaningful way”, the article said. Further, the article said that the attack was linked to a text message-based disinformation campaign that wrongly suggested that there would be a nationwide quarantine on Monday.

It is by no means new news that governments around the world are been targeted by ransomware operators. Recently the US Coast Guard, Georgia Police Department, and the municipality of Jackson County have all fallen victim to a ransomware attack. This is not solely a problem experienced by US government departments, Emisoft determined that ransomware attacks impacted at least 948 government agencies, educational entities, and healthcare providers. Returning to the US briefly Recorded Future discovered that 81 successful ransomware attacks took place against US government bodies across the year. The successful attacks further impact other towns, cities, and departments in subsequent knock-on effects. This all begs the question as to why?

As part of Microsoft’s February Patch Tuesday a total of 99 vulnerabilities were patched. Much of the attention given to the event surrounded the patching of CVE-2020-0674, a zero-day vulnerability found in Internet Explorer that when exploited could potentially allow an attacker to execute arbitrary code through corrupting the scripting engine’s memory. This vulnerability was actively been targeted by hackers according to Microsoft in an advisory dated January 17, 2020. It was little wonder that this got the attention other than the other 98 patches released on patch Tuesday. However, some nation-state groups appear far more interested in CVE-2020-0688, a vulnerability found Microsoft’s Exchange Server which was described rather tersely by Microsoft as,

The Ryuk ransomware continues to add high profile targets to its victim list. From the US Coast Guard to Fortune 500 companies, it would seem no company or organization is safe if the malware’s operators have the company in their sights. The latest to fall victim to a Ryuk infection is legal services and e-discovery firm Epiq. The company took its systems offline on March 2, 2020, after Ryuk began encrypting critical files. The news was initially broken on the same day by Robert Ambrogi who discovered the company’s corporate website was offline following a security incident.

For hackers, whether the financially motivated or state-sponsored kind, the question of how to clean and safely use stolen funds is a major hurdle to jump. When banks and other financial institutions adopted know your client (KYC) rules as specified in numerous countries adopting similar pieces of legislation which determined the rules, ways in which hackers could launder their money were once again hamstrung. With the rise of cryptocurrency exchanges, another avenue opened when unscrupulous owners didn’t care too much where the Bitcoin was coming from. Authorities were not blind to this development and several high profile arrests and platform closures were made which helped prevent further laundering.

At the RSA 2020 security conference in San Francisco security researchers from ESET disclosed a new vulnerability that impacts WiFi communications. Along with the presentation given by ESET the Slovakian based security firm also published a white paper detailing the discovered vulnerability, currently been tracked as CVE-2019-15126. Named Kr00k, the bug can be exploited by attackers to not only incept traffic but decrypt some traffic that relies upon WPA2 connections.

According to the security firm Kr00k affects all WiFi-capable devices running on Broadcom and Cypress Wi-Fi chips. These are two of the world's most popular WiFi chipsets, and they are included in almost everything, from laptops to smartphones, and from access points to smart speakers and other Internet of Things (IoT) devices. Given the wide usage of the affected chips, it has been estimated that over a billion devices are vulnerable.

The last time this publication reported on the Raccoon info stealer malware, was when it was being dropped by Legion Loader as an additional payload along with several other malware variants. Raccoon has yet again popped up on the researcher’s radar, which is unsurprising given how popular on underground forums the malware has become of the last year. Raccoon proves that what was once cutting edge a few years ago, can be offered now for a modest price but still retain its effectiveness. While Raccoon does to rewrite the book on malware development it has undergone constant upgrades while been offered as a malware-as-a-service (MaaS) and continues to be a threat despite its lack of sophistication.

In January 2012, the European Union (EU) began the long process of creating a framework for data protection reform. One of the proposals associated with these reforms was the legislation was titled the General Data Protection Regulation (GDPR). The reforms were agreed upon in December 2015, and GDPR came into full effect on May 25, 2018. This often left companies and other organizations scurrying to ensure they were compliant with the law which probably left a bad taste in many a CEO’s or board of director’s mouths. It has been a year and a half since the law, which boosts user privacy, was adopted and it seems to be having a positive effect on cybersecurity according to FireEye’s lasts report.