Internet threat news
Security Researchers at FireEye have tracked the development of Triton to a research institute owned by the Russian government. In a report published on Tuesday 23 October, researchers claim that they have uncovered a strong link between the Triton malware and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government. Triton, which has also been called Trisis and Hatman, was used in a campaign targeting Industrial Control Systems (ICS) in the Middle East. Industrial Control Systems are extensively used in industries such as chemical processing, paper manufacture, power generation, oil and gas processing, and telecommunications.
In a recent article published by Cisco Talos team, researchers have seen a Chinese linked cyber espionage group using the Datper Trojan. The group called Tick, who have also been called Redbaldknight and Bronze Butler in the past, have been launching espionage campaigns targeting those in Japan and South Korea for a number of years. In the campaign analyzed by the Talos team, the group also used compromised websites located in the two countries as command and control (C&C) servers.
Since 2016, Tick has developed a reputation for targeting Japan and South Korea by using custom tools for each separate campaign. Although custom tools are often used researchers have been able to uncover certain tactics employed on a near constant basis. Such tactics include similarities in the use of infrastructure and overlaps in hijacked C&C domains or the use of the same IP. Cisco researchers, knowing about the patterns, were able to determine similarities between the Datper, xxmm backdoor, and Emdivi malware families that the threat actor has used in attacks. The use of the xxmm backdoor and Emdivi malware has also been used in previous campaigns orchestrated by the group.
GandCrab Hackers show some Heart
Syria was at one stage known for being one of the birthplaces of human civilization. Recently the beleaguered nation is more known for the terrible civil war. As of April 2018, more than 465,000 Syrians have been killed in the fighting, over a million injured, and over 12 million, that being half the country's pre-war population, have been displaced. Many would feel that Syrians been targeted in hacking campaigns would be worse than a kick to the teeth, given the struggle for survival faced by many. Fortunately, some hackers feel the same. In a post to an underground hacking and cybercrime forum, the GandCrab developers have released the decryption keys for Syrian victims.
The developers of GandCrab seem to have responded to a tweet in which a Syrian victim asked for help after photos of his deceased children were encrypted. After seeing the tweet, the hackers announced via a forum that they have released the keys for all Syrian victims. They also mentioned that it was a mistake not to exclude Syria for the list of targeted countries.
The small island nation, known for its small population and giant-slaying football team, hardly ever makes the headlines in cybersecurity publications. That was until October 12, when cybersecurity news sites began publishing articles detailing how Iceland had just experienced its biggest attack yet. This is a stark contrast to reports from 2017 which stated that Iceland experienced no reported cases of the WannaCry attack in May of that year.
Fast forward to the present day where a phishing campaign took Iceland by surprise, sending out malicious emails to thousands of individuals, in an attempt to fool them into installing a powerful remote access tool. For many nations, a cyber attack affecting thousands can be seen a mere trifle. However, when you consider that the population of Iceland is approximately 350,000 people, thousands represent a significant percentage of the population.
Security experts often sound like the worst stuck record ever. “Update your software,” “update your hardware,” “update your operating system,” are said verbatim and on repeat constantly. The reason for all the repetition is that users to do not follow this simple advice. Updates are seen as an inconvenience rather than a security essential. If you are the owner of a MikroTik router it is most certainly time to patch your router. Security researchers on Twitter, including Kira 2.0, sounded the warning sirens showing that nearly 12,000 MikroTik routers are currently infected with various malware strains. Researchers began investigating further and it was discovered that a known vulnerability in the firmware of MikroTik routers is potentially far more dangerous than previously believed. The vulnerability in question, CVE-2018-14847, is present in the Winbox administration utility of MikroTik's RouterOS. According to research done by Tenable, the vulnerability allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.
On Thursday, October 4, 2018, Bloomberg published an article which claimed that Chinese spies were able to gain privileged access to just under 30 major US companies. This access was granted through the spies planting tiny microchips inside motherboards used for Supermicro servers that eventually made their way inside the IT infrastructures of the major companies which included Apple and Amazon. The report shocked the public and resulted in Supermicro’s stock value plummeting by nearly 50%.
Soon after the story was published the companies supposedly involved came out with statements that strongly denied the claims made in the article. Not only did the companies question the story but many leading thinkers within the InfoSec community cast doubts upon the article's claims.
Most hackers and threat actors are often content to copy the work of others. This means that most of the world’s cyber-attack campaigns are conducted using tried and tested tactics and already existing, if slightly modified, malware variants. When a new and original method of attack becomes apparent the InfoSec community most certainly takes note. Security researchers at ESET definitely have the community’s attention with their report on LoJax.
LoJax is possibly the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by a threat actor. In summary, the malware uses repurposed commercial software to create a backdoor in a computer’s firmware. The campaign using the malware has been active since 2017 and it is capable of surviving the re-installation of the Windows operating system or even hard drive replacement. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold. What’s more, ESET has attributed the spread of the malware to Sednit, also known as FancyBear, the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.
On September 28, 2018, Facebook announced that it had suffered a major security breach. The social media giant simultaneously announced that 50 million user accounts were accessed by unknown attackers. The discovery was made by Facebook engineers on the previous Tuesday and that the attackers managed to seize control of the affected accounts. Since the announcement, Facebook has logged out the 50 million breached users and a further 40 million vulnerable accounts to prevent further exploitation of user accounts by the unknown attacks. It is generally seen by many that Facebook has had a torrid time of late this year, this major security incident may be the icing on the cake.
According to Facebook, the attackers managed to seize control of user accounts by exploiting three distinct bugs in Facebook's code. These bugs allowed the attackers to steal the digital keys the company uses to keep users logged in. As it was the digital keys that were stolen users are not required to change their passwords with Facebook having to reset the keys for all those affected. In a call to reporters CEO Mark Zuckerberg, whose own account was compromised, said that attackers would have had the ability to view private messages or post on someone's account, but there's no evidence that this occurred.
Recent reports across multiple platforms would indicate that hackers are still able to exploit the Google Play Store to upload malware with the intention of infecting Android devices. This is by no means a new phenomenon but hackers prove again that they are a resourceful bunch. No matter what countermeasures are employed a resourceful hacker will find a way to exploit the situation. In three separate instances, threat actors have looked to distribute malware using the Play Store. On September 24, security researchers at SophosLabs published an article explaining that at least 25 Android apps on the official Google Play store contain code that mines cryptocurrencies in the background. It is important to note that these apps do not inform users of the mining or in the majority of circumstances offer the user no opt-out option.
A recently discovered malware strain can be seen as a Swiss Army knife. Not only can it function as ransomware it can also log and steal their keystrokes and add infected computers to a spam-sending botnet. Multi-tasking malware is by no means a new phenomenon, malware authors will look to add new components and functions to existing malware strains in an attempt to make them more versatile. While not a new phenomenon, these multi-tasking nasties have an unexpected side effect of making classification difficult. This, in turn, causes much strife amongst the InfoSec community.
The malware, dubbed Virobot, was recently discovered by researchers at TrendMicro (sample discovered by security researcher MalwareHunterTeam). The malware which is capable of working as a botnet, ransomware, and keylogger has been classified as a ransomware strain by those same researchers, fortunately, it would appear that the malware is still under development. This is in part due to the uniqueness of the ransomware component. According to TrendMicro, the ransomware component has no ties to previous ransomware strains but that is where the uniqueness ends.
Banks and other financial institutions have long been the targets of hackers. Not only do they deal with massive amounts of funds daily, but they are also entrusted with valuable personal information that stealing it is a major goal for many cyber criminals. This treasure trove of personal information includes credit card data, customer information, and the wealth of corporate data that can be sold off or exchanged by those looking to make a quick profit or get an edge over a business competitor. Now they have a new increasingly popular threat to combat. Credential stuffing is an emerging attack method which can be considered a brute force attack. Credential stuffing is the automated injection of breached username and password pairs in order to fraudulently gain access to user accounts. Access to accounts is done by using large numbers of spilled credentials are automatically entered into websites, often by botnets) until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
Last week this platform published an article which covered the emergence of a new exploit kit called Fallout discovered by security researchers at FireEye. Initially the exploit kit has been used to distribute the SmokeLauncher trojan and the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles via malvertising campaigns.
SAVEFiles was discovered by security researcher Michael Gillespie, who has developed a reputation for discovering and analyzing new ransomware variants. While the ransomware was discovered by Gillespie it was not known necessarily how the ransomware was distributed. Exploit kit expert Kafeine discovered that SAVEFiles was been distributed via malvertising campaigns where IP addresses in Japan, France, and other locations have been targeted. It was further discovered that the campaign will cause the visitor to go through a stream of redirects until they eventually get to a site hosting the Fallout Exploit kit. The exploit kit will then automatically download and install the SAVEfiles ransomware onto the victim’s computer. The connection to hxxp://xxxart.pp.ua/1/get.php is the ransomware connecting back to its Command & Control server to receive an encryption key.
Apple has recently pulled several Trend Micro apps from its app store. These include the free packages Dr. Cleaner, Dr. Antivirus, and Dr. Archiver listed has been developed by Trend Micro. The reason for the apps receiving the boot: they exfiltrate user data for the user’s browser history. The discovery was made by Thomas Reed of Malwarebytes Labs and @privacyis1st. As a result of the public outcry and industry condemnation, Apple was forced to pull the apps. At the time of writing, only Dr. Wifi and Network Scanner were still available for download. In the report published by Thomas Reed, much of their research centered around Dr. Antivirus and Dr. Cleaner. Upon analysis, it was revealed that Dr. Antivirus was incredibly limited in what, in terms of malware, it could detect. This is due in part to restrictions placed on app development by Apple and imposed on the App Store. As with many similar apps, detection rates were poor even when used to detect malware within the user folder, Dr. Antivirus was no different.
The use and popularity of hackers using exploit kits seems to be waning. This decline in use has been attributed to arrests, prison sentences, and service disruptions caused by law enforcement in partnership with security firms. This is most certainly good news but does not mean their use is completely extinct. Security researchers at FireEye have discovered a new exploit kit been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.
An exploit kit is essentially a type of “toolkit” used by hackers to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Often exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash, Java, and many others. A typical exploit kit can include a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.
Page 10 of 30<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>