Internet threat news
The recent variant of Petya, also called GoldenEye or NotPetya, is believed by security researchers globally to be malware type known as a wiper rather than the ransomware originally reported on. For the purposes of this article, the malware will be referred to solely as NotPetya for the remainder of the article in order to keep confusion down to a minimum. While it initially did appear as ransomware by demanding a ransom to decrypt data that had been encrypted as well as leveraging EternalBlue and EternalRomance as if earlier ransomware attack campaigns. Added to this victims were instructed to pay the ransom in the now traditional method of Bitcoin. Once analyzed by numerous researchers in numerous leading security companies, the truth does appear stranger than fiction.
German email service provider, Posteo, has attempted to combat the new version of Petya by blocking the email accounts used by the hackers utilizing their service in order to extort Bitcoin from victims. By blocking the email accounts of the hackers, they cannot access their mail or send mail. Thus, this would leave victims who to paid the ransom unable to receive the encryption code. This has left many to criticize the move by the company to block emails and thus render victims without the option to pay for their files to be decrypted. In an email sent to journalists at Motherboard, Posteo defended their position and believe that preventing misuse of their platform to be vital for the company and legitimate users of their platform. Posteo went further to say that there was no guarantee that if the ransom is paid the victim's files would be decrypted.
Researchers and analysts at Trend Labs have discovered a new fileless ransomware which they have termed Sorebrect. Although fileless ransomware is by no means new, this latest variant displays some cunning features intended for it to evade detection and frustrate forensic audits. The variant was first discovered infecting systems in Lebanon and Kuwait, however, it has recently been seen infecting systems as far afield as Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S. Sorebrect seems to be specifically targeting companies within the manufacturing, technology, and telecommunications industries. Experts further believe that this new variant will in all likelihood appear in more countries or even peddled as a Ransomware as a Service (RaaS) on the Dark Web to serve criminal organizations in extorting money from victims.
US Authorities Warn of North Korean DDoS Botnet
The Department of Homeland Security and the Federal Bureau of Investigation via United States Computer Emergency Readiness Team (US-CERT) issued a bulletin warning of a new distributed denial-of-service (DDoS) botnet targeting US businesses. It is believed the threat actors are the hacking group “Hidden Cobra”, who are also known as the Lazarus Group. This group is suspected of having strong ties to the North Korean government. Both the FBI and the Department of Homeland Security stated that it appears that businesses within the media, aerospace, financial, and critical infrastructure sectors within the US as well as other international businesses and state organizations.
While recent ransomware and malware attacks that have made headlines recently have left many Mac users with a false sense of security. While many Mac users have been boasting about their OS of choice and how they believe their OS invulnerable to attack. The recent emergence of MacRansom, ransomware targeting Mac OS, and MacSpy, spyware also targeting Mac OS, should give the Mac user pause for thought.
While many Mac users believe that their system of choice is superior in terms of security when compared to the Microsoft counterpart. The reality is that due to Windows having over 90% of the market share with regards to operating systems, it is often not worth cyber criminal’s time to create malware targeting Mac OS as more damage can be caused by targeting Windows systems in a sustained or brief campaign.
Recently verified Twitter accounts of journalists in Venezuela had been hacked in order to promulgate misinformation in the form of fake news. Recent hacks of the Qatari news agency have resulted in a massive political falling out between the small Gulf nation and its neighbors, mainly with Saudi Arabia and the United Arab Emirates, over a fake news story alleging Qatar’s involvement with Iran. This is an oversimplification of a complex situation but it does appear that the hack and subsequent publishing of fake news stories sparked the recent diplomatic feud in conjunction with President Trump’s recent visit to Saudi Arabia.
In the case of the Venezuelan journalists, their Twitter accounts were hacked in a method not been seen before in order to promulgate fake news in the hope that that misinformation will spread to the journalist's followers. This would not only negatively impact the journalist’s reputation, potentially destroying a chosen career, but also make it harder for followers to gain access to factual news in Venezuela, a government which has recently authorized censoring the internet and surveillance in a misguided method to suppress the political unrest.
Large corporations using a dominant market position is becoming a story as old as David taking his sling and stone to Goliath. Kaspersky is probably wishing it was as easy as purchasing a sling and finding a stone to take on Microsoft. Kaspersky has recently opened an antitrust suit against Microsoft with the European Commission and German Federal Cartel Office. This comes months after Kaspersky opened a similar case in its home country with the Federal Antimonopoly Service (FAS). The cases have raised questions as to whether Microsoft’s practices are ethical and not an attempt at creating a monopoly in the cyber security sector. It is not only Antivirus developers that are allegedly suffering but other independent suppliers who are complaining that they are been throttled by the OS giant.
Kaspersky has gone on record to say that Microsoft has moved to correct some of the issues listed in the complaint made with Russian authorities. This is despite Microsoft denying any wrongdoing. The issues fixed pertaining to the Russian complaint surrounded the Windows 10 insisting that the user’s computer was not safe if it used a third party antivirus. This would lead users to potentially only use Windows Defender which in turn would have a negative effect on independent developer’s, like Kaspersky’s, business. Central to this claim was a “Turn On” button which would lead user’s to believe that their system would be secure only if the button was clicked, even though there is a third party antivirus program installed.
Barely a few days after the horrendous attacks that occurred in London on 3 June 2017 Theresa May saw this as an opportunity to push her parties agenda to allow encryption backdoors. This comes two weeks after May and her Conservative Party listed proposals for wider Internet surveillance laws within the parties most recent election manifesto. While this would not be the first time politicians used a tragedy to push legislation through law-making bodies that imposed restrictions on citizens while broadening and fundamentally increasing surveillance law. This seems to be another case where politicians exhibit no shame in using a tragedy for their own agenda.
This supposed crackdown on the Internet in the interests of safety and counter-terrorism comes only months after the Conservative Government, with May championing the legislation, passed the Investigatory Powers Bill (IP Bill) which included the following legislative changes to regulation and surveillance:
• Internet Service Providers must log every user's web browsing history for a year.
• Police and other law enforcement agencies can access this data through a specialized interface and search for suspects or general profiles.
• Security services can access and analyze public and private databases.
• Government agencies can still collect communications data in bulk, just like through RIPA.
• Police and other law enforcement agencies can, under certain circumstances, hack into users' devices.
• Communications operators must remove their side of encryption and help state agencies access data or devices.
Sustainable Business Plan?
The now infamous hacking group termed “The Shadow Brokers” recently announced that they will be selling exploits and other tools initially hacked from the NSA in the autumn of 2013. For the somewhat staggering sum of 20,000 USD a month you can subscribe and receive monthly released exploits as well as SWIFT network data and information concerning Russian, Chinese, and North Korean nuclear programs. The group would like the fee paid in Zcash, a cryptocurrency advertised as “permissionless cryptocurrency that can fully protect the privacy of transactions using zero-knowledge cryptography.” 100 Zcash is approximately 20,000 USD. The group who initially gained notoriety for the above-mentioned hack recently gained their name in headlines as the group that released the EternalBlue and DoublePulsar exploits that aided WannaCry in infecting a number of computers it did. They have threatened to release more in the month of June but this new subscription business model has got experts asking more questions than they have answers.
This is not the first time the group has looked to monetise their hacking skills. They initially attempted to auction of all the data to the highest bidder, for which it was proposed that the group expected to receive over 10,000 Bitcoin for the exploits. That did not materialize and then attempted a Kickstarter campaign to raise the funds they thought the information was worth. It is estimated that the group has earned only 10,5 Bitcoin, or roughly 24,000 USD, through the various fundraising methods. It is yet to be seen if the subscription model will be a success. The group itself has admitted that they looking at what they deem as “high rollers” to be their main customer base. Based on previous attempts to monetise their hacking ability, experts are not convinced this will meet with any more success.
Security researchers at Whitescope have found over 8,600 vulnerabilities in the devices regarded as in the broader pacemaker ambit. These vulnerabilities were found across four producers of several products defined as pacemakers. These vulnerabilities were discovered in radio controlled devices such as pacemakers, Implantable Cardioverter Defibrillators, Pulse Generators, and Cardiac Rhythm Management collectively termed “pacemaker devices” in the study. These vulnerabilities not only raise worrying questions as to the safety of such devices but also the vulnerabilities that may come to plague the fabled Internet of Things.
Convenient, most definitely
The rise of appliances connected to the internet that enables users to change heat settings, lock doors, order food, and connect to other drivers have undoubtedly added new convenience to today’s refrigerators, motor vehicles, LCD television sets, and thermostats. However, they may be a future source of strife and frustration. Such convenience comes at a cost, the devices are practically unpatchable. Combine this with that such devices are intended to have a longer lifetime than the laptop this article is been written on and the company’s manufacturing such devices do not have the budget to pour into security features and upgrades means that they are extremely vulnerable to attack.
Fake News Hack
On May 23 reports surfaced that Qatar’s state news agency was hacked. Their website was hacked and allegedly uploaded fake news story pertaining to statements made by Emir Sheikh Tamim bin Hamad Al-Thani, Qatar’s current leader, supposedly made as to the small oil-rich nation’s political relations. The fake news stories included calling Hamas "the legitimate representative of the Palestinian people," comments as to the strong relations with Iran, and supposed tensions between Qatar and the US President Donald Trump. Qatari government officials and the news agency in question were quick to say that the news agency was indeed hacked and there is no substance to the stories.
Despite the broad denials and the admission of being hacked, many of Qatar’s allies in the region were quick to condemn the nation. The Saudi Arabian news agency Okaz was most vociferous in its coverage. Comments such as "Qatar splits the rank, sides with the enemies of the nation." Illustrate that the denial was not accepted by Saudi Arabia and other Gulf nations. As if in retaliation Al Jazeera’s website, with its head office based in Doha, was blocked in Saudi Arabia and the United Arab Emirates.
Ever since WannaCry made it onto the front page of every newspaper and received a dedicated segment on twenty-four-hour news channels, every Friday since then another worm using the same exploit appeared. This past Friday was no different. On Friday, May 19, another worm using the same exploit as WannaCry emerged. Discovered by Croatian analyst Miroslav Stamper, it has been dubbed EternalRocks. It has also gone by the name MicroBotMassiveNet. This exploit yet again uses the NSA tools dumped by “The Shadow Brokers”. However, while WannaCry used an unsophisticated code, the more recent malware detections like Adylkuzz and EternalRocks are believed to be far more advanced.
The initial dump of NSA linked hacking tools has opened a veritable Pandora’s box to hackers and affiliated groups worldwide, not to mention rumors of other international spying agencies taking note. While some debate whether it was North Korean groups with links to the hermit kingdom or not which created WannaCry, the point seems almost moot considering a number of new attack campaigns which leverage the dumped tools. EternalRocks uses several of the dumped tools which exploit the now infamous SMB zero day in Window’s older operating systems. Stamper discovered that EternalRocks uses EternalBlue, EternalChampion, EternalRomance, and EternalSynergy to compromise vulnerable systems while it uses SMBTouch and ArchiTouch for reconnaissance purposes. Once the worm has gained a foothold in a vulnerable system it then uses DoublePulsar to spread to other vulnerable machines.
With much of the world still reeling from the WannaCry attack of last week, analysts and researchers have discovered a new threat. Researchers at Proofpoint discovered the threat on Monday this week that uses the same SMB exploit as WannaCry. The new threat, termed Adylkuzz, is not ransomware but rather a Cryptocurrency Mining Botnet. Adylkuzz makes use of the same alleged NSA hacking tools EternalBlue which took WannaCry from a purely amateur hour ransomware to the threat that made headlines infecting over 200,000 systems from over 150 Countries. Adyllkuzz further employed DoublePulsar another of the dumped hacking tools in its propagation.
The going wild of the abovementioned NSA hacking tools by the Russian hacking group “The Shadow Brokers” will undoubtedly have massive ramifications for the cyber security industry and the public as a whole. While WannaCry was a shot across the bow as to the seriousness of threats particularly when one saw how a simple ransomware bug when combined with NSA tools, could infect the British National Health Service, US package delivery giant FedEx, Spanish telecoms giant Telefonica, and Germany's Deutsche Bahn rail network. Adylkuzz, on the other hand, turns infected systems and by default their unwitting users into accomplices to financial crime on a grand scale. Little is known yet of the true scale of this attack but due to its more sophisticated nature than WannaCry, Adylkuzz may be significantly larger in scale.
The Wake-up Call
Microsoft has labeled the cyber wildfire called WannaCry a massive wake up call. By Saturday, May 13, it was reported that over 200,000 computers from over 100 countries had been infected with the ransomware in question. The speed at which WannaCry propagated was extraordinary, which leveraged a Windows SMB Exploit which had already had a patch released, by targeting computers and systems without the patch installed. It has been reported that the SMB exploit is the recently dumped EternalBlue, a collection of hacking tools allegedly developed by the NSA and dumped by the hacking group “The Shadow Brokers”.
The ransomware affected the British National Health Service, Nissan manufacturing plants, as well as numerous telecoms and well-developed organizations which one would assume, would do their utmost to protect against ransomware and similar attacks. The version which caused all the fuss had a killswitch which was exploited by the security analyst who goes by the name of MalwareTech to greatly reduce the spread and infection rate of the malware. As to whether the killswitch was a feature included by the ransomware’s creators or was merely an oversight is not apparent yet. Regardless, Europol, cyber security companies, software manufacturers, and other service providers are sending out multiple warnings to help mitigate the damage done. By the end of the weekend, it was estimated that the creators of WannaCry had received over a hundred payments totally over 25,000 USD.
Page 10 of 21<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>