Internet threat news

The film industry loves to portray bank robbers as street smart criminals who plan audacious schemes to physically break into bank vaults. The reality as always it not so glamorous with more and more bank robberies been confined to the digital realm. News broke towards the end of May of an attempt to steal money during a hack of a Chilean bank. It was initially reported on May 24, by Banco De Chile that the bank had suffered an all-around systems failures that affected the computers at several of its branches. Various local news sources began reporting that the bank while maintaining online banking channels could not carry out in banking operations. Initially, the bank in question refused to call it a security incident, but in a subsequent announcement on May 28, Banco de Chile admitted to having been hit by "a virus."

Towards the end of May, we covered an article concerning APT28 and their potential involvement in the creation of VPNFilter. The group has earned notoriety stemming from multiple attacks and campaigns. The group also seems to be trying to break records for the most names; the group also goes by Sednit, Sofacy, Fancy Bear, Pawn Storm, and Tsar Team. The group who is widely believed to operate under orders from the Kremlin has typically operated by targeting a small number of users inside an organization, usually with the same exploit chain and the same malware. Researchers at Palo Alto believe the group is changing tactics to what they call “parallel attacks”.

In a report  recently published by security firm, Palo Alto details how they believe the group is in the process of changing and adapting new tactics to carry out cyber espionage operations. Researchers at Palo Alto have conducting intense analysis on the group dating back to February and March of this year. Part of the analysis has dealt specifically with analyzing a lesser known tool widely attributed to the APT28 group called Zebrocy. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments. Researcher’s track this now as the third campaign using the Zebrocy malware.

In recent months Tech Support Scams (for example: Microsoft Warning Alert, Do Not Ignore This Windows Alert, YOUR COMPUTER HAS BEEN BLOCKED) have seen a drastic rise in popularity. According to researchers at Microsoft the rise in such scams amounts to a 24% increase. The problem has even resulted in Microsoft teaming up with other industry giants to combat this scourge. While tech support scams, or put differently technical support scams, take on many guises the do have certain common traits that can be defined. Thus, any such scam involves the scammer claiming to offer a legitimate technical support service, often via cold calls to unsuspecting users. Such cold calls are mostly targeted at Microsoft Windows users, with the caller often claiming to represent a Microsoft technical support department but is not always the case.

On Monday, May 28, two Canadian banks revealed they had suffered cyber-attacks over the weekend. The two institutions, Simplii Financial and Bank of Montreal, both released statements confirming that they had been hacked. Later it was revealed that the hackers responsible are attempting to hold the data stolen from the banks for ransom. The hackers claim that they will release the personal information of 100,000 clients of the banks unless they receive 1 million USD worth of cryptocurrency.

Simplii Financial, which is a subsidiary of CIBC, one of Canada’s biggest financial institutions, released a statement on Monday confirming the incident which was discovered on the previous Sunday, In the statement it was confirmed that the hackers had managed to access and steal certain personal and account information for approximately 40,000 of Simplii's clients. Upon the discovery, Simplii moved to implement enhanced online fraud monitoring and online banking security measures. It also stated that it would be directly contacting all those affected. Michael Martin, the Senior Vice-President, wished to assure clients that, “We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” and, “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

Last week it was reported that it appeared that a Russian state-sponsored hacker group was potentially gearing up for an attack on Ukraine. Due to the work of numerous security researchers and the US Federal Bureau of Investigation (FBI) the attackers' plans were foiled somewhat. Such events will inevitably raise questions on how to sufficiently deal with such threats. These discussions, as with discussions surrounding conventional warfare, can tread some morally murky water. A UK official has sought to clarify that country’s position with regard to responding to cyber warfare. In a speech issued by Air Marshall Phil Osbourne look to present a possible solution for his countries defense. The position that could be adopted according to Air Marshall Osbourne should be, “…to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities.”

On May 23, 2018, researchers at Cisco Talos published a report detailing their discovery of a giant botnet of hacked routers that appears to be preparing for a cyber-attack on Ukraine. Researchers say that the botnet has been created by infecting home routers with a new malware strain named VPNFilter. It is widely believed within the InfoSec community and other nation states that Russia, in particular, the nation-state group APT28, are behind the botnet and malware creation. This has been done to target Ukraine according to experts.

According to Cisco, this new malware variant is incredibly complex, especially when compared with other IoT botnets. VPNFilter comes with support for boot persistence, only the second IoT malware to do so seen in the wild to do so, scanning for SCADA components, and a firmware wiper function to incapacitate affected devices. SCADA, or otherwise known as supervisory control and data acquisition, are commonly seen as control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management. All this is combined to assist in the management of industrial machinery and factory processes. Searching for and targeting such components has become a favorite of nation-state groups.

On May 18, various cyber news sources began reporting that a data set containing 200 million rows of personally identifiable information (PII) has been made available on an underground Chinese marketplace. Articles surfaced on Security Week, and Dark Reading, amongst others. All reported that the source of the information of the exposed data came directly from cybersecurity firm FireEye’s iSight Intelligence division. What is considered PII can vary widely from country to country and is dependent on the regions privacy and information security laws; in general PII can be seen as information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. FireEye has stated that the leaked data, in this case, does not contain incredibly sensitive information but it can be used to facilitate identity theft, spam, malware propagation, and fraud.

There is very little that can be considered more frustrating than realizing all your hard work has been made useless because of a silly mistake. This is probably what a group of hackers must be feeling at the moment. In this instance, the hackers appeared to have accidentally exposed two fully-working zero-days when they uploaded a weaponized PDF file to a public malware scanning engine. Unfortunately for the hackers, but fortunately for almost everyone else, security researchers at ESET discovered the potentially damaging zero-days and reported them. The first vulnerability affected Adobe’s PDF viewer and has been assigned the following Common Vulnerability and Exposure (CVE) number CVE-2018-4990 and has been patched. The second vulnerability, CVE-2018-8120, which if exploited targeted the Win32k component of Windows and was also recently patched.

The Grand Rapids Police Department of Michigan, USA, has issued a warning via Facebook warning Netflix users of an email scam currently underway. Netflix also issued a statement intended to help users determine what is a scam or not and hopefully prevent users from handing over important information such as information pertaining to credit and debit cards.

Netflix, the incredibly popular subscription-based streaming service, currently boasts nearly 118 million users globally. This popularity, while what the business strives for, unfortunately, comes with a downside. That being it makes it a target for scams which cybercriminals will try to exploit this popularity to the best of their ability. The latest scam takes the form of a phishing email campaign. Simply put a phishing campaign relies on the criminal sending out emails to a massive amount of recipients with the hope of getting the recipient to do what the email instructs. These campaigns rely on social engineering to get the user who received the email to do something. This may involve the user from mistakenly handing over bank details or other such important information. Social engineering can be defined as an attack that relies heavily on human interaction in order to steal confidential information. Due to this reliance on human interaction phishing is one of the easiest forms of cyber attack for a criminal to carry out. Through merely sending out an email which links to a fake website a victim can provide these crooks with everything they need to infiltrate every aspect of their targets' personal and working lives. Such attacks are commonly used in identity theft cases which can severely impact the life of the victim.

Much of the world, particularly those living in the Middle East, are collectively holding their breaths hoping a storm may pass. One May 8 US President Donald Trump announced his country would be withdrawing from the Iranian nuclear deal. The president claimed that there is Israeli intelligence proving Iran is not in compliance with the agreement thus providing the reason to withdraw without alliance partner’s support. The move by President Trump sparked fears that the region would further be destabilized. As if to prove the point news broke early on May 10 about Iran using missiles to strike Israeli positions in the Golan Heights and with Israel responding in kind. While there appear to be legitimate fears of a further destabilized geopolitical landscape, there are also many fears regarding a cyber retaliation from Iran.

The battle between the Russian Government and Telegram, a popular instant messaging service, continues to be a long drawn out affair. Russia’s telecommunications watchdog Roskomnadzor seems to be determined to stamp out the offending app once and for all. At the center of the battle between the government and the company is due to Telegram declining  to provide customer encryption keys to Russian intelligence agency FSB so that investigators could decrypt encrypted conversations during investigations. The latest news coming out of Russia is that Roskomnadzor, blocked last week on May 3, 2018, access to over 50 VPN and proxy services. This according to Russian news agency TASS who initially published the story.

According to Russian authorities, the banning of approximately 50 VPN and proxy servers was done because users were utilizing these tools to skirt a nation-wide ban on Telegram. The nationwide ban occurred on April 13, when the Russian courts ruled in the Governments favor to ban the popular messaging service. The court hearing lasted a total of 18 minutes ensuring that justice was indeed swift in this case if you believe the action of banning Telegram is in the interests of justice. Prior to the court ruling which confirmed the government’s permission the company had been fined approximately 14,000 USD for failing to comply with a government order that required the company to provide access to encrypted conversations to Russian intelligence agency FSB. Since these events Telegram has lodged an appeal with the European Court of Human Rights (ECHR) against the 14,000 USD fine.

Malware designed to mine cryptocurrency using a victim’s server or computer is an ever increasing popular choice. Often called crypto jackers or simply miners, many malware authors have seen their potential to make more than a quick buck and are often included in other types of malware packages. Researchers at AlienVault have discovered a new miner, which they have dubbed MassMiner. In a report published by the company, it was revealed that MassMiner employs a who’s who of recent exploits that led to many sleepless nights and loss of earnings in 2017.

As mentioned above MassMiner uses a number of exploits to infect systems in order to mine the cryptocurrency Monero. Those exploits include the following: CVE-2017-10271 (https://nvd.nist.gov/vuln/detail/CVE-2017-10271) (Oracle WebLogic), CVE-2017-0143 (Windows SMB), and CVE-2017-5638 (Apache Struts). Each one of the above-mentioned vulnerabilities has become the equivalent of cyber celebrities in their own right and have become infamous for different reasons.

Following from Microsoft’s announcement that it will be looking to build better partnerships with other industry-leading companies to prevent tech support scams the Redmond giant has made another important announcement. While much of the tech industry was looking at the release of the new Windows 10 update, at the Hannover Messe 2018, an industrial trade show, Microsoft announced plans to secure both IoT (Internet of Things) devices and ICS (Industrial Control Systems) operations. The new project has been codenamed Trusted Cyber-Physical Systems or TCPS for short.

According to Microsoft, TCPS systems are designed to utilize three elements to catch and block intrusions. The first being is a hardware-level Trusted Execution Environments (TEEs). Simply put a TEE is a secure area of the main processor. It guarantees code and data loaded inside to be protected from attacks. Such systems were designed to process highly-sensitive information, information hackers are always trying to get at. The reason for this is that many low-level IoT or ICS systems lack a hardware level TEE making them incredibly vulnerable to attack. For such systems Microsoft will be able to provide what they term is a “brownfield gateway,” which operates as an intermediary point that funnels all commands from upstream equipment to IoT devices, sensors, actuators, or safety control systems through one server/host thus supporting a TEE.

In the realm of cybersecurity, good news or even slightly positive news is rare. The community as a whole moves from crisis to crisis, malware variant to malware variant. There was perhaps more than a little surprise within the community when Microsoft published a veritable call to arms for teaming up with key players to put an end to the problem of tech support scams. All too often the Redmond tech giant is criticised for putting profit ahead of security, however, in recent months Microsoft has been working hard to correct this reputation. The latest article can be seen as a step in the right direction for the often criticised company.