Internet threat news

Players of the popular first person shooter Counter Strike: Global Offensive (CS: GO) got more than they bargained for if they looked to download an app which allows users to cheat. The app modified to operate on macOS would also download and install a cryptocurrency miner unbeknownst to the cheater. The age old lesson of “Cheaters never prosper” is most apt in this situation as those looking to cheat would be aiding hackers in accruing Monero, a favoured cryptocurrency of hackers worldwide because of its increased anonymity features.

Players looking to get a leg up on their competition in a less than an ethical way by downloading the vHook app from the website vlone.cc. The original version of vHook was not Mac compatible but was advertised on YouTube. The latest version is based on the original vHook, termed Barbarossa, and was modified by a GitHub user going by “fetusfinn”. It appears as though the GitHub user was also the one who added the cryptocurrency miner to the code. The evidence for this resides in the use of the OSX.Pwnet.A miner that features debugger symbols that seem to reference the user name, Finn.

With Kaspersky Labs releasing their malware report focussing on the second quarter of this year as well as research conducted by Cisco and Umbrella there seems to be a marked rise in DDoS attacks. Many of these attacks seem to be originating in Southeast Asia, with many of the attacks targeting businesses and corporations within China.

Most recently there has been a marked rise in the instance of DDoS services for hire. These are sometimes referred to as DDoS booters or DDoS stressors. Many of which have appeared in China seemingly using the same platform. It could easily be assumed that the same authors could be offering multiple services across a variety of platforms. This could be done to increase market dominance, however, researchers at Cisco revealed the opposite to be true.

Hackers are continually innovating and becoming fundamentally sneakier in how they are targeting business. In the NotPetya attack earlier this year we saw hackers dropping malicious code into legitimate accounting software updates. Another instance of corrupting software update mechanisms has again been used. Researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have detected another similar styled attack. Dubbed ShadowPad the secret backdoor gave attackers complete control over networks hidden behind legit cryptographically signed software sold by NetSarang. Founded in 1997 NetSerang develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks. The company has headquarters in both the United States and South Korea with the company boasting clients from banks, media firms, energy companies, and pharmaceutical firms, telecommunication providers, transportation and logistics and other industries.

In a report compiled by researchers at FireEye, it appears it is not only cyber criminals using the leaked NSA tool commonly referred to as EternalBlue. Many will recognise the name as it is the vulnerability (CVE-2017-0143) that assisted in making the WannaCry and NotPetya attacks earlier this year international headlines. Since it was leaked into the wild by the hacking group the Shadow Brokers, EternalBlue has been used in various forms of malware campaigns whether ransomware or in Trojans and miningbots. EternalBlue leverages a vulnerability in Microsoft’s SMB version 1 networking protocol in order to spread laterally across networks in order to deliver a malicious payload. It was only to be a matter of time till researchers discovered it being used for cyber espionage purposes.

In this instance, it is been used to steal credentials from high-value guests staying in hotels across Europe. The security researchers at FireEye believe with moderate confidence the hackers belong to the hacking group Fancy Bear who has been operational since 2007.

With the recent spate of data breaches and leaks of arguably HBO’s most popular television program, Game of Thrones, one can assume many of the company’s executives wish they could return to an era with no internet. Hacking of the entertainment industry appears to be on the rise and placing the relevant companies in the headlines for all the wrong reasons. If one was looking for a silver lining, the shared excitement the leaks caused on platforms like Reddit does show how popular Game of Thrones still is.

The most recent dump which seems to have occurred early this week would be the third similar data dump in about two weeks. From initial reports, it appeared that the hackers in the most recent attack tried to extort an undisclosed sum from HBO, which the hackers themselves redacted in statements issued to the press.

Marcus Hutchins, a security researcher who also goes by the name MalwareTech, made headlines in May as the person who discovered, almost accidentally, the inbuilt killswitch in the WannaCry ransomware which caught the world unawares. Fast forward to August and the same person hailed as a hero who prevented a further 10 million systems been infected by WannaCry was arrested in Las Vegas during the DefCon one of the largest hacking conferences in the world. At his bail hearing on Friday, he initially pleaded not guilty and was granted bail of 30,000 USD. Hutchins still had to spend the weekend in Jail as his lawyers could not pay the bail in time. Hutchins has to wear a GPS locating tag and is not to communicate his co-accused who is as of yet unnamed. Hutchins has been accused of creating and maintaining the Kronos banking Trojan and can face up to 20 years in jail if convicted.

With WannaCry and Petya attacks slowing down it was only a matter of time till the lessons learned from these attacks would be used by other cyber criminals. The creators of TrickBot have most certainly learnt how to increase the propagation exponentially of the malware using the lessons learnt from this year’s most devastating cyber-attacks.

The new version (1000029 or v24) of the credential stealing malware has been found to be using the same SMB exploit famously used by WannaCry and Petya. TrickBot has been stealing credentials from banking institutions towards the end of last year. It has attacked financial institutions across the globe. The favoured attack vector for TrickBot is through email attachments impersonating invoices from a large financial institution.

With the arrest of Alexander Vinnick, a 38-year-old Russian who was believed to be one the creators and operators of BTC-e on money laundering charges. The total believed to be laundered through the platform totals over 4 Billion USD. The laundered funds are believed to be in conjunction with cyber-attacks, tax fraud, and drug trafficking. The man was arrested by Greek police at the request of US law enforcement agencies.

The arrest will hopefully further shine a light on how cyber-criminals, once they have either stolen or extorted cryptocurrencies are able to launder that money in order to be used legitimately.

How the criminals are able to cash out

Whether it is from ransomware campaigns or direct theft from legitimates user's cryptocurrency wallets, it is very difficult to survive solely on the cryptocurrencies. What is then needed is someone willing to launder the money in a similar vein to how it is done in other illicit trades and black market operations.

Google’s Android security team have discovered and new and immensely powerful spyware termed Lippizan. Google claims the spyware was created by Equus Group, an Israeli based company who by their own account specializes in the development of “…of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations.” Lippizan appears to be a targeted malware infecting a small selection of apps upon Google Play. Google states that their experts noticed the malware and intervened and removed the infected apps. The new security feature, Google Play Protect, was used to remove the infected apps. According to Google, this new feature allows for users to use the app store with peace of mind by applying even stricter controls on the uploading of apps.

On Friday, 21 July 2017, a 29-year-old man pleaded guilty to hijacking over 900,000 routers from Deutsche Telekom’s network towards the end of 2016. The attack which leveraged a customized version of the Mirai malware according to the hacker accidentally denied many Germans and German companies without access to the internet impacting on their ability to conduct business. The hacker has not been named by authorities but has gone by the nickname “Spiderman”, “BestBuy”, and “Popopret”. The hacker may be sentenced to 10 years in prison, with sentencing scheduled for 28 July 2017.

Admissions in Court

While during court proceeding the 29-year-old accused admitted that it was never his intention to cause the routers to stop functioning completely. Rather it was his intention to use the hijacked routers as pawns in a DDoS attack. Accidently his version of Mirai shut down routers rather than assisting in executing the DDoS attack he had planned. A week later he did exactly the same thing, this time in the UK by accidentally shutting down 100,000 routers again denying users the ability to use the internet disrupting businesses. He has not been charged for the shutting down of the UK routers as of yet. The man was arrested in February of this year by UK police at a London airport and extradited to Germany to faces the charges brought forward by German police stationed in Cologne who also issued the international arrest warrant.

Just weeks after American law enforcement agencies, the Department of Homeland Security and the Federal Bureau of Investigation, in a joint non-public report warning of a critical infrastructure hack, the Government Communications Headquarters (GCHQ), one of Britain's secretive spying agency has reported the possibility of a similar attack within its borders. A copy of the document issued by the National Cyber Security Centre (NCSC), a branch within in GCHQ, obtained by Motherboard and later confirmed by the BBC states that industrial software companies have likely been compromised.

Global Campaign

While the NCSC report does not mention specific instances where systems were compromised, unlike the US joint report which listed a company managed a nuclear power station in Kansas had been breached, it does appear that activity indicative of a campaign is discernible. It does not appear as if UK companies are the specific target, rather part of a global campaign targeting critical infrastructure systems and companies in the West. Both law enforcement agencies in Turkey and Ireland have reported similar suspicious activity.

As of yesterday researchers at Trend Micro have reported someone trying to leverage the SambaCry vulnerability to install a backdoor Trojan on Linux machines running unpatched versions of Samba, a file sharing program. Researchers at Trend Micro confirmed that most of the attacks targeted network-attached storage (NAS) appliances, many of which ship with the Samba server which allows file sharing across different operating systems.

The vulnerability exploited by SambaCry (CVE-2017-7494) is not new and affects several versions of Samba. The vulnerability was patched by Samba when it became apparent that the vulnerability was being exploited by the cryptocurrency miner EternalMiner over a month ago. Despite the vulnerability being patched, it is apparent that not all users have updated their versions of Samba currently installed on their devices.

The global cyber security company, Kaspersky, has landed itself in the headlines once more as the General Service Administration of the US has removed Kaspersky and its products from a list of approved vendors. The General Service Administration is responsible for federal government purchasing contracts. This will undoubtedly make it more difficult to buy Kaspersky products within the borders of the US. The GSA stated that “GSA's priorities are to ensure the integrity and security of US government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes,” in response to the removal from the aforementioned list.

Kaspersky’s removal from the GSA’s list of approved vendors due to what US law officials see as close ties to the Russian Intelligence Agency, the FSB. US Officials see this relationship as more than cordial and believe the alleged relationship between the FSB and Kaspersky could place American networks in danger, and the potential to increase Russia’s cyber espionage ability. In a congressional hearing in May, it expressed concern over the links between the Russian tech giant and the Russian Government. However, the hearing stopped short of providing any concrete evidence proving such links.

When news broke on 6 July 2017, that companies who manage nuclear energy power stations within the US were hacked alarms were triggered. Rightly so, fears of what happened in Ukraine previously when its energy sector was essentially shut down by hackers must of being on many minds. On some other minds was probably the thought that this was the end and perhaps they should have been prepping for a doomsday scenario. While hacking of energy suppliers and companies associated with the maintenance and managing of power stations is a cause of concern, cybersecurity researchers at Cisco’s Talos Intelligence Division, worked hard to try to quell some of the fears many might have had.