Internet threat news
News broke on October 24 of a new ransomware variant targeting Russian and Ukrainian systems. The ransomware infected both personal computers and company servers. Among the affected organizations are Kiev’s metro system, Russian media organization Interfax and Odessa airport. Interfax was forced to publish to its Facebook page during the outage since its servers were taken offline for a number of hours.
The ransom demanded is 0.05 Bitcoin ($287.65 at the time of writing) and is conveyed in the now customary method of a ransom note. The malware code is unusual in the sense that it is laced with pop culture references pertaining to the hit show Game of Thrones, whose holding company HBO has its own battles with cybercrime. The ransomware also tries a list of passwords while attempting to spread which include “love”, “sex”, “god” and “secret”, which were dubbed the “four most common passwords” by the 1995 movie Hackers. In fact, the four most common passwords are 123456, 123456789, qwerty, and 12345678.
Since the middle of September, researchers have been watching an Internet of Things Botnet grow by nearly 10,000 infections per day. The botnet has been codenamed IoT_reaper. The current size of Reaper is estimated to be over 2 million infections. Much has been published over the years about how vulnerable IoT devices are. We are now beginning to see the practical implications of all the warnings made by experts.
According to researchers at Netlab the botnet is mainly made up of IP-based security cameras, network video recorders (NVRs), and digital video recorders (DVRs). The botnet uses some code from the Mirai IoT malware, but there are also many new things that make the botnet a standalone threat in its own right. One of the major differences between the Reaper and Mirai is its propagation method. Mirai was dependant on scanning for open Telnet ports and attempted to log in using a preset list of default or weak credentials. Reaper primarily uses exploits to forcibly take over unpatched devices and add them to its command and control (C&C) infrastructure.
Reaper also differs from Mirai in several important ways including that it uses exploits to take over devices. Other ways Reaper differs is that it is Lua execution environment integrated. This enables Reaper to perform more complex attacks. Reaper’s scan behavior is also not very aggressive helping keep it under the radar, making it harder to detect.
Recently we reported on the first ever ransomware which changes both the user PIN and encrypts user data on Android devices, discovered by researchers at ESET. In less than a week another piece of malware was discovered targeting Android users. SockBot, discovered by researchers at Symantec, is a Trojan which was used to target users who play Minecraft Pocket Edition mobile game. A total of 8 apps have been discovered carrying the Trojan on Google’s Play Store. The apps which were advertised as player skin apps and legitimate had total installation count ranging between 600,000 and 2.6 million.
All of the apps were created by the same developer going by the name of FunBaster. Google has since removed the apps. Fortunately, for those who may have been infected with SockBot, Google is able to remove infected apps from user’s mobile devices. This action taken by Google would have drastically reduced the number of possible infections. Using a popular app or game to try and lure users to download malicious apps is by no means a new trick. Given the popularity of Minecraft and a user base that consists of many younger users not aware of the dangers posed the creator picked a target easily susceptible to a malware attack.
Researchers at Slovakia based security firm ESET have discovered a new ransomware variant that targets Android users. The researchers believe this to be the first instance on ransomware which abuses Android Accessibility. A feature that provides users alternative ways to interact with their smartphone devices, and mainly abused in the past by Android banking Trojans to steal banking credentials. Discovered by ESET products as Android/DoubleLocker.A, this ransomware strain is based on the foundations of a particular banking Trojan, known for misusing accessibility services of the Android operating system.
Lukáš Štefanko, the ESET malware researcher who discovered DoubleLocker believes that based on the ransomware’s banking Trojan roots DoubleLocker has the possibility of being converted into a ransombanker malware. This would be a two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom. While this is currently speculation, ESET researchers have seen similar malware in the wild already dating back to May of this year.
With financial institutions admitting data breaches, some very serious others less so, it seems governments are also taking the opportunity to disclose information concerning hacks. This week saw both the Australian Government and the South Korean Government admitting that sensitive information, in South Korea’s case classified information, was stolen. Regarding the Australian hack, a total of 30 GB of sensitive data pertaining to the military and its equipment were stolen. In regards to the South Korean hack, North Korea is accused of stealing approximately 235 GB of data which included classified plans detailing the South and its Allies response in case of war with the North.
Earlier this President Donald Trump’s government moved to ban all Kaspersky Lab products from US Government institutions and agencies. Law enforcement and information agencies also recommended to the private sector that they should desist for purchasing products and services from the Russian based company. Very little evidence was provided to the public as to the decision made by President Trump, however, the reason for the decision rests in Kaspersky Lab’s alleged inappropriate links to the Russian Government.
This matter resurfaced recently on October 6 with articles published in both the Wall Street Journal and the Washington Post that a breach which may have occurred in 2015 was made possible in part by Kaspersky’s Antivirus Software. US officials seem to believe that a scan performed by Kaspersky Lab’s security software on the contractor's computer helped Russian hackers in identifying the files containing sensitive information. Evidence in both articles for the claims rests on anonymous sources who allege one of two situations may have occurred which enabled Russian hackers to gain access to classified documents.
Security researchers have developed a variant of the Rowhammer malware that is able to bypass all the current countermeasures proposed for such an attack. The blanket term Rowhammer has come to describe a security exploit that takes advantage of the fact that hardware vendors are cramming too many memory cells together on the same boards in order to make smaller components with larger memory storage. An attacker can exploit this by bombarding RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge. This means that the stored data can be modified from 1 to 0, or alternatively 0 to 1, thus altering information stored on the computer. By altering the stored information in such a way the attacker is able to deliver malicious code that alters normal OS behavior to escalate the attacker's privileges, root devices, or cause denial-of-service states to crucial services, such as security software.
Over the last two years, security researchers have seen servers accessed and data wiped with the attacker sending a ransom note to have the data restored. The most recent victim has been the team behind R6DB, an online service which provides Rainbow Six Siege player statistics. The attack occurred on September 30 in which an automated bot accessed the server, wiped the database, and left a ransom note behind. The database appears to be a PostgreSQL instance. At the time of writing, this article R6DB have recovered most of the data and are currently running updates on the new server.
Once EternalBlue was released into the wild by the Shadowbrokers it was predicted that its effects would be far-reaching. Time has proven those predictions correct with many hacking groups around the global adding yet another tool in spreading malicious payload. In this instance the creators of the banking Trojan Retefe have leveraged EternalBlue in order to spread across computers via unpatched and outdated SMB servers.
Earlier this year Emotet and TrickBot were discovered by security researchers sporting highly customised version of EternalBlue. This was at a period where the use of worms to spread malicious payloads across networks was declining with some thinking the malware variant to be dying a slow death. Upon the emergence of EternalBlue new life was seemed to be breathed into something that was thought to be a relic of the recent past. Other than seeing worms become fashionable once more, how banking Trojans were used and operated also changed. In the past those deploying such Trojans would like them to remain undetected for as long as possible, now it seemed they wanted to infect as many computers as possible thus gaining a vast amount of credentials in a smaller space of time. This would have been the trade-off for being easier to detect one can assume.
Cryptocurrencies are fast becoming, if not already, a massive investment tool that is rewriting the rules as to what the currency currently in your wallet can be. With innovation often comes teething problems, these in themselves are not a worry. What is a worry is how malware authors are exploiting innovative ideas for short-term gain. This is hardly new and seems to be an information age constant in that if a tool or idea can be abused to swindle and extort it shall. This maxim is probably not even an information age phenomenon but one that pervades human history.
Coinhive appears to have started its life fairly innocently. As a tool Coinhive could be used by website owners to generate extra income rather than utilizing ad banners. It is essentially a java library that can be added to the website which when visited by a visitor Coinhive will use a percentage of the visitors CPU to mine Monero. Once the visitor is no longer on the page Coinhive will stop mining using the visitor’s CPU. The Pirate Bay, the famous or infamous depending on which side of the piracy fence you sit, began trailing Coinhive rather than having ad banners on their torrent website. Users were notified about the trial and its implications but were soon dropped by The Pirate Bay due to negative user feedback.
On Tuesday news broke that the latest version of CCleaner, a popular application owned by Avast, had been hacked, little was known as to the attacker’s intention. As is often the case with attacks conducted by knowledgeable and experienced attackers the targets and aim are exceptionally difficult to ascertain. Given time and dedicated research teams often these can be determined but determining who is responsible is harder.
The CCleaner hack was pulled off by modifying version 5.33 to include Floxif malware as reported by Cisco Talos and MorphiSec. Initially, it was believed that users who downloaded the jeopardized version merely downloaded a fake version of CCleaner. Researchers later determined that the version was indeed legitimate and CCleaner’s supply chain was jeopardized. Ultimately it was determined that Floxif, a malware downloader, was used in this instance to collect information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part.
When Equifax announced at the start of September that it had been a victim of a massive data breach and given the companies unique position of been one of the three major credit unions in the United States, everyone knew heads would roll. This feeling would only be exacerbated when late on Friday, eastern standard time, the company released a press statement detailing the incident and announcing the resignation of both the Chief Information Officer and Chief Security Officer.
The press release also confirmed that potentially the personal information of over 143 million U.S. citizens has been impacted with at least credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. Added to that Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents. Many, if not all, of the above statistics regarding the incident were speculated upon in the media, the press release by Equifax serves as confirmation.
Microsoft, as part of September Patch Tuesday, has released patches for a total of 81 CVE listed vulnerabilities of varying severity. The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE). The updates are applicable to all Microsoft products that are currently supported.
Four of the patches are known and have already been exploited in the wild. One of the vulnerabilities was previously unknown to the public with details been released on September 12. The previously unknown vulnerability was discovered by researchers at FireEye and privately reported to Windows, with both parties only releasing details to the public in conjunction with the release of the patch.
When news of hacks, data breaches, and malware attacks break on mainstream media one knows that the seriousness of the situation can be rarely questioned. When it happens to a company responsible for generating a large portion of credit scores for the American public and advertises the latest advances in ID theft protection those with a sense of humor might comment how ironic the situation is, those who may have their identities were stolen as a result probably won’t be laughing.
News broke on September 7 when Equifax announced that it had suffered a major data breach. Essentially 143 million Americans, including a few British and Canadian citizens, had their incredibly sensitive personal information exposed and potentially stolen. Information which was jeopardized included consumers' names, Social Security numbers, and birth dates for 143 million Americans, and in some instances, driving license numbers and credit card numbers for about 209,000 citizens.
Page 10 of 23<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>