Internet threat news
Security firm Lookout has released a report which shows an alarming increase in the rate at which users are receiving and clicking on phishing URLs on their mobile devices. The firm witnessed an average rate of 85% per year increase since 2011. What is perhaps more worrying is that 56% of users received and clicked on a phishing URL that bypasses existing layers of defense, the security firm says. On average, a user clicked on a mobile phishing URL six times per year.
The security company set out with the aim of analyzing the mobile phishing threat landscape, the company found that attackers are successfully circumventing existing phishing protections to target the mobile devices. This circumvention of existing protections allows the attacker to expose sensitive data and personal information relatively easily. With over 66% of emails first opened on a mobile device and email arguably the first point of attack for a phishing campaign, unprotected emails on a mobile device are becoming the chosen attack vector for many such campaigns.
Late on April 7, reports began emerging that a significant number of Cisco switches located in Iran and Russia were being hijacked. The attack appears to have been done by a hacktivist group calling themselves “JHT” and may be in response to and in protest to election-related hacking. Cisco switches are network switches sold by the company. A network switch connects computers, printers, phones, cameras, lights, and servers in an office building or campus for example. A switch serves as a controller, enabling networked devices to talk to each other efficiently as opposed to a router which allows for connection to a particular network. The attack targeted internet service providers, data centers, and in turn some websites within Iran and Russia. It is yet unclear on how exactly the attack was carried out but it is believed the attacks involve a recently disclosed vulnerability (CVE-2018-0171).
While the Facebook and Cambridge Analytica saga still dominates most infosec headlines with an estimated 87 million user’s data exploited rather than the initial 50 million, those behind cyber attacks are still active. On April 4, Bloomberg reported that at least four U.S. pipeline companies have seen their electronic systems for communicating with customers shut down over the last few days. Three of those companies report that the shutdown was as a result of a cyber attack. On Tuesday, Oneok Inc., which operates natural gas pipelines in the Permian Basin in Texas and the Rocky Mountains region, said it disabled its system as a precaution after determining that a third-party provider was the “target of an apparent cyber attack.” Previously, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas reported communications breakdowns, with Eastern Shore saying its outage occurred on March 29.
Based on several reports from research firms it would appear that AutoHotKey is been used in the creation of malware. AutoHotKey, often simply referred to as AHK, is an open-source scripting language developed for the Microsoft Windows operating system back in 2003. AHK was born when its creator tried and failed to add support for keyboard shortcuts (hotkeys) in AutoIt, a similar Windows scripting language. Since its creation, it has become a major Windows scripting language. Besides original support for remapping keyboard shortcuts, AutoHotKey is now a powerful system that can now interact with the local file system, monitor or close programs, set up scheduled tasks, but also important for the novice hacker it can automate repetitive operations inside third-party software packages. Added to that obvious advantage for the novice, AHK scripting language uses a simple syntax that even non-technical users can understand.
Based on the languages ease of use, ease of understanding, and the ability to automate repetitive operations AHK historically has been used by gamers to create aimbots, an auto-aim cheating tool used in first-person shooters. While being abused by gamers to try and get an edge a few have been at work subverting the language for hacking purposes. Researchers believe this may be the start of a new trend in malware development. This would certainly be the case when considering the recently published reports by Ixia and Cybereason.
Readers would be forgiven for thinking this an old news story from last year. However, as of Wednesday, March 28, 2018, the Seattle Times reported that Boeing, a world leader in aircraft design and their sales, was experiencing a WannaCry attack. The same WannaCry ransomware that made international headlines the year before.In May 2017 reports began surfacing of a ransomware worm that spread rapidly across numerous networks. The ransomware was dubbed WannaCry and once it infected a Windows-based system it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them. Based on that one would think it was just a run of the mill ransomware. There were, however, a few factors that made the new ransomware strain noteworthy. It struck a number of important and high-profile systems, including many in Britain's National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government. All this combined made the attack a perfect cybercrime storm.
Since news broke surrounding the whole scandal involving Cambridge Analytica and their misuse of data provided by Facebook the story has evolved somewhat. The excellent work of investigative journalists who published the initial shocking report on the matter has now come to head with many vocal voices demanding the truth and eventually, justice for the betrayal of what they hoped was private. It is also felt that such abuse of the democratic principles held dear by many western governments needs to be bolstered to prevent such abuse in future. The article which follows details events in line with the public demanding answers to such questions as well as further details on how Facebook manages your data.
Since the dawn of social media platforms privacy rights experts have been warning the public as to the dangers such platforms may have. These warnings tend to be summarily ignored till now. Facebook is not immune to scandal and has successfully navigated a few to become the behemoth of social media platforms. In all likelihood, it will limp through this latest scandal where data was abused by Cambridge Analytica in an attempt to swing both the last US Election as well as the Brexit referendum. The story that has erupted since Christopher Wylie revealed to the press that the data from 50 million individual Facebook users were used to influencing elections has snowballed since the beginning. The article that follows attempts to summarise what has happened so far and what is known.
It is believed that a Chinese-linked espionage group is currently increasing its activity in targeting foreign engineering and maritime companies. This is according to a report recently published by FireEye, a well-respected cybersecurity firm known for its nation-state threat intelligence. The Chinese-linked espionage group has been called Leviathan by researchers and analyst. The group also goes by the name TEMP.Periscope and have been active for over a decade. The group has been historically interested in targets connected to the South China Sea geographical and political issues that have affected the region for China and its neighbors. These targets include research institutes, academic organizations, and private firms in the United States. Over the years the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.
On March 7, Microsoft released a report detailing that Windows Defender AV detected and thwarted a massive outbreak of the Dofoil, sometimes referred to as Smoke Loader, trojan. The campaign attempted to infect over 400,000 users in a 12-hour window. The campaign targeted mainly Russian users but instances were detected in the Ukraine and Turkey. Russia made up the vast majority of detected instances with 73% followed by Turkey which accounted for 18% and Ukraine on 4%. On March 13, Microsoft released a follow-up report explaining that the attack was caused by backdoored Russian-based BitTorrent client named MediaGet.
It would appear that Chinese Intelligence Agencies are altering the Chinese National Vulnerabilities Database (CNNVD) in an attempt to hide security flaws that government hackers might have an interest in. This is the conclusion made by Recorder Future, a US-based security firm, in a recently published report. Recorded Future has developed a reputation for tracking and revealing Chinese state-sponsored cyber spying. According to the latest report published by the firm, the firm noticed in recent months mass edits to the CNNVD website. This would imply that CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities.
In November 2017, Recorded Future published a report examining the publication speed of the CNNVD. The report concluded that China had a process for evaluating whether high-threat vulnerabilities had operational utility in intelligence operations before publishing them to the publicly accessible CNNVD webpage. The firm wished to revisit the analysis in an attempt to further confirm their allegations only to find that CNNVD had altered their initial vulnerability publication dates. It is assumed this was done to cover up any evidence of wrongdoing.
Following the record-breaking Distributed Denial of Service Attacks (DDoS) that targeted both Github and a yet unnamed US-based company, referred to as a service provider in various reports, a surge in Memcached DDoS research and proof of concept code was bound to come up. Recently two proof of concept attacks has been published online illustrating a surge in popularity of attempting such a reflective DDoS attack.
Both the record-breaking attacks have shone a light on Memcached DDoS attacks, more so than previous research warning of the possibility of such attacks, but what exactly is a Memcached DDoS attack? In such an attack, the attacker targets Memcached servers that are exposed online. Memcached servers allow applications that need to access a lot of data from an external database to cache some of the data in memory, which can be accessed much more quickly by the application than having to travel out to the database to fetch something important. Such servers have been used by companies to speed up page load time and deal with spikes in demand.
These servers have been used internally, disconnected from the public internet but accessible within a trusted network to improve internal application performance in the past which would mean they would not be an easy target for such an attack. However, recently it would appear that such servers have a default setting which exposed UDP (user datagram protocol) online.
In a report published by Microsoft on March 1, researchers have been able to dissect FinFisher. FinFisher is advertised as a lawful interception solution built by Germany-based FinFisher GmbH. It is sold exclusively to governments and is criticised by civil rights groups across the globe. It is sometimes referred to as FinSpy and has been active for nearly half a decade, often used by government agencies in conjunction with surveillance operations.
According to Microsoft, due to the analysis conducted by their researchers, Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the complex FinFisher spyware. The analysis was not cut and dry as sometimes malware analysis can be. Microsoft admitted the malware is complex and required the researchers to develop special methods just to crack the offending spyware.
Researchers at UK based firm Wandera have been analyzing a new Android malware called RedDrop. The malware is reported to be able to do a wide range of actions including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive. The malware was spotted initially on the mobile devices of employees of several global consultancy firms and appears to target mainly those living in China.
Researchers at Wandera have discovered 53 malware-ridden apps that are exfiltrating sensitive data from infected devices. The primary goal of these apps and the network that supports it is to get users to unknowingly send SMS messages to premium services, thus incurring financial loss. Applications that have been infected with RedDrop are being distributed through a network of more than 4,000 domains and range from tools such as image editors and calculators to recreational apps. Every observed application offers the expected functionality, thus making it difficult for users to detect themselves if they have unwittingly downloaded a malicious program.
Authorities working for the American criminal justice system have sentenced Taylor Huddleston, 27, of Hot Springs, Arkansas to 33 months in prison and two years of supervised release for aiding and abetting hackers by creating and selling malware. Huddleston had already pleaded guilty in July 2017 and left it up to the courts to decide how much prison time he would serve. His guilty plea followed his arrest by the FBI earlier in 2017.
Huddleston’s case and subsequent sentencing is precedent setting because he was the first case where the author of a malware strain was arrested, despite not being accused of using the malware himself. This may not bode well for Marcus "MalwareTech" Hutchins as US authorities are pursuing a similar case against him. Hutchins rose to fame when he helped stop the WannaCry ransomware outbreak. In regard to Hutchins’ case, he is alleged to have created the Kronos banking trojan.
The Hutchins case is been followed rather closely by security researchers around the globe with many coming to Hutchins’ defense. As the case stands currently prosecutors allege that Hutchins confessed to creating Kronos during interrogation, but his lawyers filed a document on Friday outlining their argument that Hutchins' confession was coerced. They insist he was exhausted and intoxicated when authorities received his confession. Hutchins is currently on bail in Los Angeles, and no date for his trial in Wisconsin has yet been set.
Page 11 of 27<< Start < Prev 11 12 13 14 15 16 17 18 19 20 Next > End >>