Internet threat news

Hackers do not need computer science geniuses to carry out successful cyber-attacks or scams, with many attacks relying on the work and malware developed by previous threat actors. When a seemingly advanced hacker group which uses its own tools begins to attack financial institutions warning flags should and are often raised. This is the case regarding Silence, a hacker group specializing in stealing funds from financial institutions, has significantly ramped up operations targeting banks from over 30 countries. This has resulted in the group causing a sharp increase in financial losses suffered by organizations across the globe.
 
Researchers at Group-IB, Singapore-based cybersecurity company specializing in attack prevention, have been tracking Silence since its timid birth in 2016. The security firm has released two comprehensive reports tracking and analyzing the group’s attacks. The first report published towards the end of 2018. Silence at its formation was content to learn from those hackers who had come before. Once lessons were learned the group began actively targeting banks and other financial institutions. Since attacks began to now the hacker group has stolen over 4 million USD from numerous banks and financial institutions. By the time of the first report was published the group had only managed to successfully steal 800,000 USD. The difference in amounts stolen illustrates the ramping up of the group’s activity from the first report to the second.

Last week this publication covered how the Cerberus banking trojan was filling a gap in the malware-as-a-service market (MaaS) left by a crackdown on other similar trojans. The threats posed by MaaS schemes was briefly looked at in that article. As if to put a finer point on threat security researchers have discovered a recent campaign of the trojan Adwind been distributed in a campaign targeting utility companies. Adwind, also called jRAT, AlienSpy, JSocket, and Sockrat, has been active in one form or the other since 2013 and like Cerberus adopted the MaaS model.
 
According to a report by security firm Cofense, the newest campaign distributing Adwind was discovered by its researchers. The malware is distributed by a phishing campaign using emails from a compromised company server. The email contains a PDF file which contains the malicious payload. Further, the malware is rented out to threat actors for a subscription fee. According to the researchers, the trojan is capable of defeating a broad spectrum of anti-virus products. However, if the product features a sandbox environment or behavior-based detection methods it will be able to detect the malware with little problem. This ability to avoid detection is critical to the malware's success but the infection chain begins earlier with the receiving of the phishing email.

Banking trojans, malware-as-a-service (MaaS), and others are just some of the terms used by security researcher’s to define malware types and cybercrime. This jargon can come to be a headache for some and a nightmare for others when they find out their bank accounts have been cleaned out. With the emergence of Cerberus, a banking trojan sold as a service to rent to any interested party is now filling a gap in the market left by other such trojans which also rented out their services who have subsequently thrown in the towel. Like those that have stopped operations Cerberus actively targets mobile phones running Android.
 
In an article published by researchers from security firm ThreatFabric, has revealed details about the trojan, named after the mythological three-headed dog who guarded the gates to the underworld. Before Cerberus is looked at, it is wise to unpack exactly what a banking trojan is as well as the MaaS business model. Banking trojans, particularly those targeting mobile devices, are pieces of malware which disguise themselves as legitimate apps which when installed are designed to steal credentials, particularly those for banking apps. Once the correct credentials are stolen the hacker could access the victims banking app and account allowing for the withdrawal of funds fraudulently. MaaS can be seen as the malware equivalent to the software-as-a-service business model. Rather than leasing out the services of a software package, malware authors rent out their malware with some others even providing technical support to their less than moral customers.

Researchers based at ESET, the well-known Slovakian security firm, have published an article detailing the emergence of a new spambot targeting those residing within the borders of France. A spambot is a malicious program designed to collect email addresses, once a list is created spam email is sent to those collected addresses. Most spambots will send malvertising with the intent to collect more information, sometimes credit card information, or redirect users to specific websites. What is of interest to researchers is that the campaign spreading the malware not only distributes a spam bot but has been leveraged to carry out in a sextortion campaign.
 
Varenyky, the name given to the malware by researchers, targets the users of Orange S.A., a French internet service provider. The first detections by ESET occurred in May 2019, these detections were subsequently verified by ANY.RUN with a twitter post on June 2019. The malware was named in July when researchers witnessed the first sextortion scam been launched. Researchers contend that,

State-sponsored actors have long known that hiding malware in images, a technique called steganography, is an effective way to distribute and infect users with malware. Steganography can be defined as the technique of hiding secret data within an ordinary, non-secret, file or message to avoid detection. The secret data is then extracted and sent to its target destination. This technique is often employed by including malware within the hidden text of an image, whether .jpg or other formats, the malware is often encrypted to prevent detection. Since the use of the technique was popularised by state-sponsored actors, hackers have since adopted the technique to further their goals.

Now, according to an article published by security firm Trend Micro, the LokiBot malware family has been upgraded to use steganography to infect victims. Steganography is used for legitimate purposes, such as assisting in protecting intellectual property, this is not the case for LokiBot. A recent analysis of LokiBot has revealed that the latest variant has been encrypted and hidden in .png image files. Further, malicious archive files were also detected in spam emails. The latest variant was detected when a phishing email was sent to a company in South East Asia. The mail contained a Microsoft Word .doc attachment containing two objects, a Microsoft Excel 97-2003 Worksheet and a package labeled “package.json.” A scan on VirusTotal uncovered other, similar samples containing very similar if not the same steganographic elements.

Often in the InfoSec community, a lot of attention is given to new and innovative malware variants and how they infect a user to turn them from daily user to victim. This has led to a view that most hackers and cybercriminals are incredibly tech-savvy and can code lines at a rate of hundreds per minute. Often, what has worked for confidence artists for years also works now in a digital age. In April of this year, this publication covering how sextortion scammers were changing tactics after their profits took a significant knock as victims were advised not to pay as the likelihood of the criminals having incriminating or embarrassing material was incredibly unlikely. Now the US Federal Bureau of Investigation warns of another scam which combines a romance scam with a money mule scam.
 
In a money mule scam people are often tricked into transferring money from an illegitimate source to either another illegitimate source or more commonly to a legitimate source in an attempt to launder the money. Money gained from ransomware campaigns, for example, needs to be laundered so it can be used more efficiently by criminal organizations. Previously to try and trick people, the scam would involve fake job or ad postings which prompted victims to transfer funds to fake businesses. The victim’s believed they were a legitimate partner in the business but landed up laundering money for a cybercriminal or other criminal enterprise. The other side of the coin is a romance scam, sometimes also called a confidence scam, which involves the criminals trawling dating and friendship sites. These often play out with the criminal befriending a man or women, in an attempt to gain their trust, once the victim's trust is gained the con begins with the other party asking for money to be sent over. This can be for a variety of supposed reasons whether flights, bail, or legal fees. Of course, the money is never used for this but pocketed by the criminal.

The business of protecting users, networks, and entire systems from hackers and state-sponsored threat groups has never been a stagnant industry or boring. New threats in the form of malware are expected but how to detect them and ultimately prevent them from causing havoc is not an easy task. Security researchers at Lockheed Martin 2011, developed a methodology to detect and neutralize cyber threats. The methodology was called the Cyber Kill Chain which involved several stages in dealing with cyber threats. The stages presented how a cyber-attack occurred and presented it as a chain of events. This chain was developed to help researchers and analysts understand the enemy. However, a lot has happened since 2011 and the Cyber Kill Chain may not accurately describe how a cyber-attack happens and how the attacker operates.

This opinion is shared by numerous researchers including Tom Kellermann, Chief Security Officer at Carbon Black and former cyber commissioner for President Obama, who recently published a paper titled “Cognitions of a Cybercriminal” which prevents a new theory to help researchers better combat cyber threats. His theory, which he terms “Cognitive Attack Loop”, looks to address the apparent failure of the Cyber Kill Method. The theory is an attempt to describe how real-world attacks, particularly those of state-sponsored groups, are carried out. Recent attacks illustrate that the old view of hackers looking to break in, steal, and exit as quickly as possible, like in a burglary, no longer applies.

Continuing the trend with government and law enforcement been targeted by ransomware operators, news broke that the Georgia Department of Public Safety (DPS) has been struck by a ransomware infection. According to Fox News 5, the infection began on Friday, July 26. The infection was discovered when an officer spotted a strange message on a “field laptop”. According to other news sources the infection spread to the entire DPS system effectively crippling some operations. In response, the agency shut down all its IT systems, such as email servers, public website, and backend servers, to contain the infection.

Efforts to contain the infection resulted in the outage police car laptops for three police departments. Those departments included the Georgia State Patrol, Georgia Capitol Police, and the Georgia Motor Carrier Compliance Division. While the effects of the ransomware were felt across departments t did not severely impede the three departments' ability to do their work. With officers treating the outage as if it was planned maintenance or another reason for system downtime. This was not the first time a department of the Georgian government has experienced a cyber incident in recent memory, the Georgia Emergency Management Agency (GEMA) and the Lawrenceville Police department were also hit by ransomware earlier in the month.

An online group of anonymous cybersecurity researchers called Intrusion Truth has revealed who exactly is behind the advanced persistent threat APT group codenamed APT 17, or often also referred to as Deputy Dog or Axiom. The group has been linked to numerous hacks on private companies and government agencies this decade. In 2017, this publication published an article detailing how the popular drive cleaner CCleaner and its software download service was compromised to download and install the Floxif malware. Researchers at Cisco Talos attributed the attack to APT 17 and also discovered that numerous private companies were also targeted in the same campaign including security firms.

This will be the third Chinese cyber espionage group unmasked by Intrusion Truth, with earlier investigations resulting in the US Department of Justice indicting members from both APT 3 and APT 10. The anonymous crusaders have developed a reputation for uncovering who exactly is behind some of the more infamous cyberespionage groups. Intrusion Truth uses a technique, called doxing, to help uncover the identities of those behind APT groups. Doxing has come to mean the process by which hackers, or in this case security researchers, retrieve and publish personal details of their targets. Information can include but is certainly not limited to, names, addresses, phone numbers, and credit card details. Often in malicious cases of doxing the main aim of the hacker is coercion, however, in this instance, it could be argued that the doxing is done to increase pressure on the APT group or result in charges been laid against individuals.

Good news when it comes to matters concerning cybersecurity is in the vast minority when compared to data breaches, ransomware infections, state-sponsored attacks, and the like. Often vast amounts of money are stolen, defrauded, and extorted from victims and with such a torrent of threats and information about new threats individuals can often be left feeling helpless. The reality is there exist partnerships that spread across the globe that do their utmost to combat the scourge of cybercrime. One of those partnerships is No More Ransom, a partnership between law enforcement and private institutions to combat and disrupt ransomware operations.

The partnership was initially created by three founding partners in July 2016, those organizations being Europol, Politie, and McAfee. The partnership has since grown to include more than 150 partners. Today (link to press release when officially released), July 26, 2019, marks the partnerships third anniversary. Over those three years, No More Ransom has racked up some significant milestones along the way. The industry often measures the success of a particular ransomware strain by the amount of money it has made. No More Ransom can be seen as the complete opposite. At the time of writing the partnership had helped more than 200,000 victims successfully recover encrypted files. The site has been visited over 3 million times with visitors from 188 countries. Perhaps most significantly the partnership has prevented an estimated 108 million USD in profit from reaching the pockets of cybercriminals. No More Ransom has come to be an important resource in the fight against ransomware for individuals and organisations.

According to BBC Russia, a contractor believed to work with the FSB, Russia’s intelligence service, was hacked on July 15, 2019. A group of hackers named 0v1ru$ hacked into SyTech's Active Directory server from where they gained access to the company's entire IT network, including a JIRA instance. This access enabled the hackers to steal 7.5TB of data, which included information concerning projects worked on by the contractor for the intelligence agency. Forbes, who has also been covering the incident, believe that this incident may be the largest suffered by and impacting the FSB.

To add insult to injury the hacking group left a “Yoba Face” on the contractor's homepage, the face been mainly interpreted as an emoticon for trolling. 0v1ru$ then passed on the data to another, larger, hacking group DigitalRevolution who subsequently shared the files with various media outlets and the headlines with Twitter. DigitalRevolution made headlines in 2018 when they successfully breached Quantum another Russian contractor. While announcing the hack on Twitter the larger of the two groups then shared the stolen files with journalists. While there is conflicting information about the exact nature of the leaked information, BBC Russia stated that no state secrets where leaked.

Currently, owners of routers within the borders of Brazil are experiencing a sustained attack on their home routers. For nearly a year now routers based in Brazil have been targeted with a new type of router attack, which according to researchers at multiple security firms has not been seen anywhere else in the world. If the attack spreads to routers in other countries this will mean Brazil is ground zero for this new kind of attack and a single Brazilian router may hold the infamous and unwanted title of patient zero. Often routers are targeted for the creation of botnets, such as Mirai or other DNS (Domain Name Server) attacks. This latest attack shares many similar traits with other DNS attacks but differs in some significant ways. A DNS attack can be defined as an attack which looks to take advantage of certain vulnerabilities arising from the DNS system. These include DNS spoofing or Cache Poisoning, when the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack; and Denial of Service attacks which involve an attack in which a malicious bot sends send more traffic to a targeted IP address than what it was designed to handle resulting in downtime.

A new week, a new ransomware variant seems to be an ongoing trend in the digital realm. This week continues the trend with news emerging of the discovery of a new ransomware variant, called DoppelPaymer. The new ransomware has been seen to be infecting victims since mid-June with the ransom asked sometimes topping hundreds of thousands of USD. According at security firm CrowdStrike the ransomware has seen at least eight variants which have extended the malware’s capabilities with each successive variant, the first of these dates back to April of this year.

DoppelPaymer takes its name from another ransomware BitPaymer, from which the early copies much of the latter’s code. Despite the similarities in the source code between the two pieces of malware, there are significant differences between the two. CrowdStrike noted that,

“There are obvious similarities between the tactics, techniques, and procedures (TTPs) used by DoppelPaymer and prior TTPs of BitPaymer, such as the use of TOR for ransom payment and the .locked extension. However, the code overlaps suggest that DoppelPaymer is a more recent fork of the latest version of BitPaymer. For example, in the latest version of BitPaymer, the code for RC4 string obfuscation reverses the bytes prior to encryption, and includes a helper function that provides support for multiple forms of symmetric encryption (i.e., RC4, 128-bit AES, and 256-bit AES)…”

A new Android malware has been discovered. What makes this piece of malicious code interesting is its capability to replace legitimate apps with ad infested ones on the victim’s device. The malware, called Agent Smith by security firm Check Point, has infected over 25 million devices. The malware version of Agent Smith is far more dangerous to the everyday user then the fictional character from the Matrix films. The vast majority of these being on the Asian sub-continent with the vast majority of infections been detected in India with 15.2 million infections. Both Pakistan and Bangladesh have also experienced large numbers of infections, with those being 2.5 million and 1.7 million respectively. It has also been revealed that victims can remain infected for an average of two months.

In an article recently published by security firm Check Point, details of the malware have been released to the public along with a technical analysis of the malware. According to researchers, the malware was discovered earlier this year. Since its discovery researchers have tracked down the location of the malware’s operators, with their location being the city of Guangzhou, China. The operators appear to have set up a legitimate company as a front for distributing and profiting from Agent Smith. The legitimate company advertises itself as a business that helps Chinese Android app developers publish and promote their apps on overseas platforms. However, Check Point discovered that the company was posting ads for job positions that would be consistent with the requirements of operating Agent Smith and its associated infrastructure. Further, these positions would have very little to do with the job requirements needed for the legitimate side of the company.