Internet threat news

Ivan Fratric, a security researcher at Google Project Zero found a way to bypass Arbitrary Code Guard (ACG), a feature added by Microsoft to Edge in Windows 10 Creators Update alongside Code Integrity Guard (CIG). The details of this vulnerability have been made public as Microsoft failed to release a patch for the vulnerability within the 90-day deadline. The security feature added by Microsoft in February 2017 was designed to prevent browser exploits from being able to execute malicious code.

The inclusion of the above features into the Edge browser as a modern trend developed where a large number of browser exploits attempt to transform a memory safety vulnerability into a method of running arbitrary native code on a target device. Utilising this technique offered the attacker the path of least resistance as it enabled the attacker to uniformly stage each phase of their attack. Well, such techniques present the attacker with certain advantages, the defender can successfully defend against such attacks without any prior knowledge of the attack, this being a definite advantage if used correctly. A successful defence then has to simply be able to prevent arbitrary code form from executing.

Lord Tariq Ahmad, Foreign Office Minister for Cyber Security, has directly attributed the NotPetya cyber-attack to the Russian Government. This would make it the first Western country to do so and lay blame at the doorstep of the Russian government for orchestrating and deploying the ransomware in 2017. In a statement issued by the English Foreign Office, Lord Ahmed stated “The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017…The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds.” Ahmed further expressed that “The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather than secretly trying to undermine it.” At the time of writing no statement had been made by the Russian Government in response to the allegations.

While both the Olympics and Winter Olympics were intended to celebrate the human spirit it appears some may have never gotten the memo. During the Cold War, the Olympics was used as another event to prove whether Soviet communism or American capitalism was the superior ideology. While times change the Olympics in its multiple forms still appears to be an event needing to be co-opted for far more reasons than the organizers originally intended.

The 2018 Winter Olympics in Pyeongchang, South Korea appears to be no different in this regard. Even before the games had started Olympic organization bodies and other organizations closely linked with the event have been targeted by hackers. As early as December 2017 researchers were detecting attacks against such organizations. The latest incident occurred during the opening ceremony when a mysterious internet shutdown occurred.

A group of scientists based at the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel have just released papers detailing how they managed to hack devices protected by a Faraday Cage. The team has developed a reputation for some extraordinary and generally spectacular hacks which seem impossible at the time.

A Faraday cage, or sometimes referred to as a Faraday Shield, is a metallic enclosure meant to block electromagnetic fields coming in or going out. Named after Michael Faraday who invented them, such devices utilize the phenomenon that when an external electrical field causes the electric charges within the cage's conducting material to be distributed such that they cancel the field's effect in the cage's interior. The phenomenon is used to protect sensitive electronic equipment from external radio frequency interference (RFI). Faraday cages are also used to enclose devices that produce RFI, such as radio transmitters, to prevent their radio waves from interfering with other nearby equipment. These protective devices have found a lot of commercial use with companies placing sensitive networking equipment, servers, or workstations inside data centers or rooms protected by a Faraday cage. Banks regularly use Faraday-shielded rooms to protect servers.

It appears the operators of a gaming server rental business are diversifying their product offering. The company is believed to have built an IoT DDoS botnet, which they are now offering as part of the server rental scheme. It is believed that this is been offered based on one fairly significant clue, that being that the new IoT botnet, called JenX, is operating from the same server used by the company. This server is located at skids.sancalvicie.com. Added to this the IoT’s Command and Control server is found on the same server and domain used by the gaming server rental business, that business being San Calvicie (hxxp://sancalvicie.com).

Researchers from Radware, who discovered JenX, concluded that the new botnet is likely the botnet that powers a DDoS function included in one of San Calvicie's rental offers named "Corriente Divina" by the operators. According to the company’s website for 16 USD, users can rent a GTA San Andreas multiplayer modded server, for 9 USD they can rent a Teamspeak server, and for an additional 20 USD, users can launch DDoS attacks of between 290 and 300 Gbps. The DDoS service offered by the company is claimed to be able to carry out Valve Source Engine Query and 32bytes DDoS floods. They also advertise a "Down OVH" option, suggesting their botnet is large enough to cause problems even for the world's largest ISP and VPS providers.

The MalwareHunter team has been tracking a new ransomware called MindLost. The security researcher has been tracking samples of this new ransomware since January 15. The new strain encrypts users data then redirects the now victim to an online page to pay the ransom via credit/debit card. MindLost referred to by Microsoft as Paggalangrypt, is not being actively distributed as of yet, leading researchers to believe it is still currently under development. Despite not been complete the ransomware does work and targets the following extensions .c, .jpg, .mp3, .mp4, .pdf, .png, .py and .txt. for encryption. It also searches for the file extension within the storage devices and folders to encrypt files.

On a weekly basis, it appears someone gets swindled from their cryptocurrency in one form or the other. Whether Bitcoin, Ethereum, Litecoin, or Monero hackers have been quick to pounce on the new technology seemingly rewriting the rules of economics and trade. Some hackers use nasty pieces of malware while others are content merely to trick users into sending cryptocurrencies to the wrong address. In the latest instance, trickery was the name of the game. An as yet unknown attacker has tricked Experty ICO participants into sending Ethereum funds to the wrong wallet address. This was done by merely sending emails with a fake pre-ICO sale announcement to Experty users who signed up for notifications.

Facebook has bought a Boston based government ID verification service, Confirm, which Facebook will most likely use to confirm the identities of suspicious accounts in its fight against fake accounts used to spread political propaganda. Prior to Facebook purchasing the start-up, the start-up provided APIs that app developers could embed with their services. The Confirm APIs (Application Program Interface) allowed apps and online services to analyze a scan or photo of a user ID and determine if it was real or fake. Prior to the purchase, Confirm boasted that over 750 customers deployed its API throughout various products. Some of the common use cases for Confirm's government ID verification services included onboarding and account creation processes; P2P identity checks; fraud escalation, banking, and legal transactions. As per the purchase agreement, Confirm will shut down its activity and the company's employees will join Facebook's Boston office.

The hacking group behind SamSam attacks have been busy striking high profile targets since the beginning of January. These targets include hospitals, a city council, and an ICS (Industrial Control Systems) firm. Reported attacks include the one against the Hancock Health Hospital in of Greenfield, Indiana; Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; cloud-based EHR (electronic health records) provider Allscripts; and an unnamed ICS company in the US. Unlike many other ransomware campaigns the group behind SamaSam, also sometimes referred to as Samas, use the variant in a targeted way not relying on massive phishing campaigns.

On January 18 the Greenfield Reporter published an article detailing the SamSam attack on Hancock Health Hospital. Hospital officials admitted that hackers’ targeted more than 1,400 files, the names of every one temporarily changed to “I’m sorry.” They gave the hospital seven days to pay or the files would be permanently encrypted but no patient records were jeopardized. Since the attack, an analysis of the attack revealed the believed location of the attackers is somewhere in Eastern Europe.

Necurs is considered the world’s biggest spam botnet with what is widely believed to be millions of bots at the creators’ disposal. In the latest use of Necurs, the spammers are currently sending millions of spam emails that push an obscure cryptocurrency named Swisscoin. Such schemes are called pump and dump schemes as spammers will buy stock in advance at a low price and sell it at a higher value when the spam campaign drives up the price. In order to drive up the stock price before selling this technique relies heavily on sending large quantities of spam to drive interest up towards a particular penny stock, in this case, the obscure and less than kosher Swisscoin.

This latest spam campaign looks to be the first time the Necurs botnet has been used to push a cryptocurrency albeit an obscure one like Swisscoin. This, however, is not the botnets first pump and dump scheme. In March 2017 the botnet was used in a similar fashion to influence the share price of InCapta stock. Then it was estimated that Necurs had anywhere between 5 million and 6 million bots able to easily send tens of thousands of emails an hour. Prior to the InCapta spam run, Necurs rather infamously was used to spread the Dridex banking trojan and several variants of the Locky ransomware family.

In this instance, the promoting of a cryptocurrency in order to influence stock prices immediately caught the attention of security researchers. This is because it differs drastically from the past method of targeting penny stocks that fall under 5 USD per stock. This left researchers questioning the choice of cryptocurrency. Why not look to influence the share price of a well-known altcoin?

Cryptocurrencies make news headlines at a near daily rate. Often they concern whether Bitcoin is about to reach a new high or the bubble is about to burst. Unfortunately, it seems they make the headlines just as often when it comes to hackers stealing funds from crypto wallets. While many nations have begun debating the dangers surrounding cryptocurrencies, or at the very least what they perceive as the dangers, continued headlines stating how money is stolen can do little for the technology that many have gotten excited about.

On Saturday, January 13, another instance of a hack came to light. This time an unknown hacker, or hacker group, managed to hijack the DNS (Domain Name Server) for BlackWallet.co, a web-based wallet application for the Stellar Lumen cryptocurrency (XLM). The hacker managed to steal over $400,000 from users' accounts.

While much of the InfoSec community is still reeling after the Meltdown and Spectre announcements, a new trend in malware developments may be occurring. Researchers at cybersecurity firm Trend Micro have released a report detailing what they believe to be the first malware discovered developed in the Kotlin programming language.

Kotlin was, for most of its early existence, a little-known programming language. That was until May 2017 when Google, at the Google I/O 2017 conference, that the programming language would become the first third-party supported programming language for Android apps, besides Java. This gave the language a surge in popularity and use. So much so that Kotlin is estimated to surpass Java as the primary programming language used for Android apps by December 2018. In hindsight, one could argue the surge in popularity would inevitably result in malware authors looking to use the language to achieve their nefarious ends. The question would be a matter of if rather when.

While the media and InfoSec community waits with bated breath for Intel and AMD’s response to the critical flaws found in generations of processors, Microsoft has been wasting little time in trying to shore up the problem with patches of their own. In their haste, it appears certain issues have arisen. In an announcement earlier today, January 9, announced that they would be pausing the roll out patches for devices featuring AMD processors. In another announcement made by Microsoft is was stated that they would not be rolling out any more security updates unless Antivirus offerings set a registry key.

The makers of the world’s most prevalent OS announced its decision today in light of numerous AMD users reporting a Blue Screen of Death (BSOD) and other types of errors that in some cases prevented computers from booting. On a support page Microsoft announced “After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,”

Over the last two days, the InfoSec community has been rocked by news of a yet unnamed critical vulnerability affecting several generations of Intel CPUs. The vulnerability is due to be announced on January 9 but till then many researchers have compared the vulnerability to the now infamous Heartbleed bug. Heartbleed affected the OpenSSL library “heartbeat” which essentially lets one computer tell the other computer, “I am here. Don't close this session. I am thinking.” The heartbeat system has one computer establish a secure connection with another and send an incoming request data packet. The second computer will then copy that request into a reply packet and sends it back to confirm the connection is working and valid. The vulnerability is a memory buffer overflow, where if the machine receives fewer packets than it is expecting to receive, it randomly grabs bits of information from memory to pad out the response to the correct size. In an attack scenario, the vulnerability could have been exploited on high traffic websites to access usernames and passwords of users who had just logged on.