Internet threat news

Security experts often sound like the worst stuck record ever. “Update your software,” “update your hardware,” “update your operating system,” are said verbatim and on repeat constantly. The reason for all the repetition is that users to do not follow this simple advice. Updates are seen as an inconvenience rather than a security essential. If you are the owner of a MikroTik router it is most certainly time to patch your router. Security researchers on Twitter, including Kira 2.0, sounded the warning sirens showing that nearly 12,000 MikroTik routers are currently infected with various malware strains. Researchers began investigating further and it was discovered that a known vulnerability in the firmware of MikroTik routers is potentially far more dangerous than previously believed. The vulnerability in question, CVE-2018-14847, is present in the Winbox administration utility of MikroTik's RouterOS. According to research done by Tenable, the vulnerability allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.

On Thursday, October 4, 2018, Bloomberg published an article which claimed that Chinese spies were able to gain privileged access to just under 30 major US companies. This access was granted through the spies planting tiny microchips inside motherboards used for Supermicro servers that eventually made their way inside the IT infrastructures of the major companies which included Apple and Amazon. The report shocked the public and resulted in Supermicro’s stock value plummeting by nearly 50%.

Soon after the story was published the companies supposedly involved came out with statements that strongly denied the claims made in the article. Not only did the companies question the story but many leading thinkers within the InfoSec community cast doubts upon the article's claims.

Most hackers and threat actors are often content to copy the work of others. This means that most of the world’s cyber-attack campaigns are conducted using tried and tested tactics and already existing, if slightly modified, malware variants. When a new and original method of attack becomes apparent the InfoSec community most certainly takes note. Security researchers at ESET definitely have the community’s attention with their report on LoJax.

LoJax is possibly the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by a threat actor. In summary, the malware uses repurposed commercial software to create a backdoor in a computer’s firmware. The campaign using the malware has been active since 2017 and it is capable of surviving the re-installation of the Windows operating system or even hard drive replacement. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold. What’s more, ESET has attributed the spread of the malware to Sednit, also known as FancyBear, the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.

On September 28, 2018, Facebook announced that it had suffered a major security breach. The social media giant simultaneously announced that 50 million user accounts were accessed by unknown attackers. The discovery was made by Facebook engineers on the previous Tuesday and that the attackers managed to seize control of the affected accounts. Since the announcement, Facebook has logged out the 50 million breached users and a further 40 million vulnerable accounts to prevent further exploitation of user accounts by the unknown attacks. It is generally seen by many that Facebook has had a torrid time of late this year, this major security incident may be the icing on the cake.

According to Facebook, the attackers managed to seize control of user accounts by exploiting three distinct bugs in Facebook's code. These bugs allowed the attackers to steal the digital keys the company uses to keep users logged in. As it was the digital keys that were stolen users are not required to change their passwords with Facebook having to reset the keys for all those affected. In a call to reporters CEO Mark Zuckerberg, whose own account was compromised, said that attackers would have had the ability to view private messages or post on someone's account, but there's no evidence that this occurred.

Recent reports across multiple platforms would indicate that hackers are still able to exploit the Google Play Store to upload malware with the intention of infecting Android devices. This is by no means a new phenomenon but hackers prove again that they are a resourceful bunch. No matter what countermeasures are employed a resourceful hacker will find a way to exploit the situation. In three separate instances, threat actors have looked to distribute malware using the Play Store. On September 24, security researchers at SophosLabs published an article explaining that at least 25 Android apps on the official Google Play store contain code that mines cryptocurrencies in the background. It is important to note that these apps do not inform users of the mining or in the majority of circumstances offer the user no opt-out option.

A recently discovered malware strain can be seen as a Swiss Army knife. Not only can it function as ransomware it can also log and steal their keystrokes and add infected computers to a spam-sending botnet. Multi-tasking malware is by no means a new phenomenon, malware authors will look to add new components and functions to existing malware strains in an attempt to make them more versatile. While not a new phenomenon, these multi-tasking nasties have an unexpected side effect of making classification difficult. This, in turn, causes much strife amongst the InfoSec community.

The malware, dubbed Virobot, was recently discovered by researchers at TrendMicro (sample discovered by security researcher MalwareHunterTeam). The malware which is capable of working as a botnet, ransomware, and keylogger has been classified as a ransomware strain by those same researchers, fortunately, it would appear that the malware is still under development. This is in part due to the uniqueness of the ransomware component. According to TrendMicro, the ransomware component has no ties to previous ransomware strains but that is where the uniqueness ends.

Banks and other financial institutions have long been the targets of hackers. Not only do they deal with massive amounts of funds daily, but they are also entrusted with valuable personal information that stealing it is a major goal for many cyber criminals. This treasure trove of personal information includes credit card data, customer information, and the wealth of corporate data that can be sold off or exchanged by those looking to make a quick profit or get an edge over a business competitor. Now they have a new increasingly popular threat to combat. Credential stuffing is an emerging attack method which can be considered a brute force attack. Credential stuffing is the automated injection of breached username and password pairs in order to fraudulently gain access to user accounts. Access to accounts is done by using large numbers of spilled credentials are automatically entered into websites, often by botnets) until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

Last week this platform published an article which covered the emergence of a new exploit kit called Fallout discovered by security researchers at FireEye. Initially the exploit kit has been used to distribute the SmokeLauncher trojan and the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles via malvertising campaigns.

SAVEFiles was discovered by security researcher Michael Gillespie, who has developed a reputation for discovering and analyzing new ransomware variants. While the ransomware was discovered by Gillespie it was not known necessarily how the ransomware was distributed. Exploit kit expert Kafeine discovered that SAVEFiles was been distributed via malvertising campaigns where IP addresses in Japan, France, and other locations have been targeted. It was further discovered that the campaign will cause the visitor to go through a stream of redirects until they eventually get to a site hosting the Fallout Exploit kit. The exploit kit will then automatically download and install the SAVEfiles ransomware onto the victim’s computer. The connection to hxxp://xxxart.pp.ua/1/get.php is the ransomware connecting back to its Command & Control server to receive an encryption key.

Apple has recently pulled several Trend Micro apps from its app store. These include the free packages Dr. Cleaner, Dr. Antivirus, and Dr. Archiver listed has been developed by Trend Micro. The reason for the apps receiving the boot: they exfiltrate user data for the user’s browser history. The discovery was made by Thomas Reed of Malwarebytes Labs and @privacyis1st. As a result of the public outcry and industry condemnation, Apple was forced to pull the apps. At the time of writing, only Dr. Wifi and Network Scanner were still available for download. In the report published by Thomas Reed, much of their research centered around Dr. Antivirus and Dr. Cleaner. Upon analysis, it was revealed that Dr. Antivirus was incredibly limited in what, in terms of malware, it could detect. This is due in part to restrictions placed on app development by Apple and imposed on the App Store. As with many similar apps, detection rates were poor even when used to detect malware within the user folder, Dr. Antivirus was no different.

The use and popularity of hackers using exploit kits seems to be waning. This decline in use has been attributed to arrests, prison sentences, and service disruptions caused by law enforcement in partnership with security firms. This is most certainly good news but does not mean their use is completely extinct. Security researchers at FireEye have discovered a new exploit kit been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

An exploit kit is essentially a type of “toolkit” used by hackers to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Often exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash, Java, and many others. A typical exploit kit can include a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.

Security researchers at security firm ESET have witnessed the threat group “PowerPool” exploiting a Windows zero-day vulnerability. The vulnerability is being used by the threat group to elevate the privileges of a backdoor in targeted attacks. The flaw was disclosed on August 27 with the proof of concept code been published on GitHub the same day. The information was disclosed by a researcher seemingly frustrated with Microsoft’s bug submission process. The researcher’s Twitter account was no longer accessible shortly after she posted the tweet, but it’s unclear whether it was suspended or deleted. The flaw, however, has been already confirmed by security researchers, including Will Dormann, a vulnerability analyst at CERT/CC. It would seem that PowerPool has also confirmed that vulnerability in light of recent attacks.

The Russian-based hacking group Cobalt is again targeting banks in a new campaign. In this latest campaign, it would appear that the group has limited its targets to Russian and Romanian banks. Cobalt has been active since 2016 and already boasts a number of scalps. As it stands the group has been credited with the theft of 9.7 million USD from the Russian MetakkinvestBank; ATM thefts of 2.18 million USD from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan. The group has also been seen to target industries other than the banking sector. Last year it was reported that Cobalt had expanded its range into also targeting government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations, often using government organizations and ministries as a stepping stone for other targets. Many of these utilized supply chain attacks.

In what Jennifer Lawrence, and the other victims of the so-called “Fappening”, will see as a victory, one of the hackers responsible has received an eight-month prison term for his part in the hack. In 2014 George Garofano, 26-years-old, of North Branford in Connecticut, covertly gained access to approximately 240 private iCloud accounts, many of which belonged to celebrities as well as other individuals. The access was gained in a period spanning from 2013 to 2014 and access was gained via an email phishing campaign. Garofano used the access gained to steal private images and video from the accounts and disseminate the material on the internet. One of the reasons for the uproar was that many of the images disseminated showed the victims nude.

Garofano, who is currently released on a $50,000 bond, was ordered to report to prison on October 10. Added to this he will also serve a three year supervised release once his prison term is complete. Garafano was one of four people charged in the 2014 hacking scandal and was the last to be prosecuted. Prosecutors argued for a sentence of 10 to 16 months in prison, in line with federal guidelines. Garofano asked for leniency, requesting no more than five months in prison and another five months of home confinement on the basis that he believed he had already suffered serious consequences and had apparently behaved in an appropriate manner since he was charged.

For Cosmos Bank, a bank that has been in business for 112 years, August will go down as one of the bank’s worst months. On August 14, 2018, the Hindustan Times reported that the bank suffered a two-stage attack where malware was used on the bank's ATM server to steal the credit card information of customers, alongside SWIFT codes required for transactions. It was estimated that during the first wave roughly 11.5 million USD in transactions from multiple countries was stolen. In the second wave, on the same day, close to 2 million USD was withdrawn through debit card transactions across India. Later when those funds were traced it was discovered that they were transferred to Hong Kong via fraudulent SWIFT transactions.

Cosmos Bank chairman Milind Kale said the cyber attack was a global effort as cyberattackers operated from "22 nations." The bank pointed the finger at Canada as the place of origin for many of the fraudulent transactions. A further article published by the Hindustan Times said that the hackers failed in their first attempt to compromise the bank's systems. Despite the first failed attempt worryingly no alert was issued to put the bank on guard against any further suspicious activity. The bank has since confirmed that no funds had been debited from its customers’ accounts.