Internet threat news

Rowhammer Variant Bypasses Countermeasures

Security researchers have developed a variant of the Rowhammer malware that is able to bypass all the current countermeasures proposed for such an attack. The blanket term Rowhammer has come to describe a security exploit that takes advantage of the fact that hardware vendors are cramming too many memory cells together on the same boards in order to make smaller components with larger memory storage. An attacker can exploit this by bombarding RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge. This means that the stored data can be modified from 1 to 0, or alternatively 0 to 1, thus altering information stored on the computer. By altering the stored information in such a way the attacker is able to deliver malicious code that alters normal OS behavior to escalate the attacker's privileges, root devices, or cause denial-of-service states to crucial services, such as security software.

Database Wipe Ransom Hits R6DB

Over the last two years, security researchers have seen servers accessed and data wiped with the attacker sending a ransom note to have the data restored. The most recent victim has been the team behind R6DB, an online service which provides Rainbow Six Siege player statistics. The attack occurred on September 30 in which an automated bot accessed the server, wiped the database, and left a ransom note behind. The database appears to be a PostgreSQL instance. At the time of writing, this article R6DB have recovered most of the data and are currently running updates on the new server.

Another Banking Trojan Leverages EternalBlue

Once EternalBlue was released into the wild by the Shadowbrokers it was predicted that its effects would be far-reaching. Time has proven those predictions correct with many hacking groups around the global adding yet another tool in spreading malicious payload. In this instance the creators of the banking Trojan Retefe have leveraged EternalBlue in order to spread across computers via unpatched and outdated SMB servers.

Earlier this year Emotet and TrickBot were discovered by security researchers sporting highly customised version of EternalBlue. This was at a period where the use of worms to spread malicious payloads across networks was declining with some thinking the malware variant to be dying a slow death. Upon the emergence of EternalBlue new life was seemed to be breathed into something that was thought to be a relic of the recent past. Other than seeing worms become fashionable once more, how banking Trojans were used and operated also changed. In the past those deploying such Trojans would like them to remain undetected for as long as possible, now it seemed they wanted to infect as many computers as possible thus gaining a vast amount of credentials in a smaller space of time. This would have been the trade-off for being easier to detect one can assume.

Coinhive: Innovative but Abused

Cryptocurrencies are fast becoming, if not already, a massive investment tool that is rewriting the rules as to what the currency currently in your wallet can be. With innovation often comes teething problems, these in themselves are not a worry. What is a worry is how malware authors are exploiting innovative ideas for short-term gain. This is hardly new and seems to be an information age constant in that if a tool or idea can be abused to swindle and extort it shall. This maxim is probably not even an information age phenomenon but one that pervades human history.

Coinhive appears to have started its life fairly innocently. As a tool Coinhive could be used by website owners to generate extra income rather than utilizing ad banners. It is essentially a java library that can be added to the website which when visited by a visitor Coinhive will use a percentage of the visitors CPU to mine Monero. Once the visitor is no longer on the page Coinhive will stop mining using the visitor’s CPU. The Pirate Bay, the famous or infamous depending on which side of the piracy fence you sit, began trailing Coinhive rather than having ad banners on their torrent website. Users were notified about the trial and its implications but were soon dropped by The Pirate Bay due to negative user feedback.

Analysis of CCleaner Hack Reveal Tech Giants Targeted

On Tuesday news broke that the latest version of CCleaner, a popular application owned by Avast, had been hacked, little was known as to the attacker’s intention. As is often the case with attacks conducted by knowledgeable and experienced attackers the targets and aim are exceptionally difficult to ascertain. Given time and dedicated research teams often these can be determined but determining who is responsible is harder.

The CCleaner hack was pulled off by modifying version 5.33 to include Floxif malware as reported by Cisco Talos and MorphiSec. Initially, it was believed that users who downloaded the jeopardized version merely downloaded a fake version of CCleaner. Researchers later determined that the version was indeed legitimate and CCleaner’s supply chain was jeopardized. Ultimately it was determined that Floxif, a malware downloader, was used in this instance to collect information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part.

Equifax and the Cost of a Data Breach

When Equifax announced at the start of September that it had been a victim of a massive data breach and given the companies unique position of been one of the three major credit unions in the United States, everyone knew heads would roll. This feeling would only be exacerbated when late on Friday, eastern standard time, the company released a press statement detailing the incident and announcing the resignation of both the Chief Information Officer and Chief Security Officer.

The press release also confirmed that potentially the personal information of over 143 million U.S. citizens has been impacted with at least credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. Added to that Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents. Many, if not all, of the above statistics regarding the incident were speculated upon in the media, the press release by Equifax serves as confirmation.

Windows Patches Zero Day Spyware

Microsoft, as part of September Patch Tuesday, has released patches for a total of 81 CVE listed vulnerabilities of varying severity. The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE). The updates are applicable to all Microsoft products that are currently supported.

Four of the patches are known and have already been exploited in the wild. One of the vulnerabilities was previously unknown to the public with details been released on September 12. The previously unknown vulnerability was discovered by researchers at FireEye and privately reported to Windows, with both parties only releasing details to the public in conjunction with the release of the patch.

Equifax Suffers Gigantic Data Breach

When news of hacks, data breaches, and malware attacks break on mainstream media one knows that the seriousness of the situation can be rarely questioned. When it happens to a company responsible for generating a large portion of credit scores for the American public and advertises the latest advances in ID theft protection those with a sense of humor might comment how ironic the situation is, those who may have their identities were stolen as a result probably won’t be laughing.

News broke on September 7 when Equifax announced that it had suffered a major data breach. Essentially 143 million Americans, including a few British and Canadian citizens, had their incredibly sensitive personal information exposed and potentially stolen. Information which was jeopardized included consumers' names, Social Security numbers, and birth dates for 143 million Americans, and in some instances, driving license numbers and credit card numbers for about 209,000 citizens.

Microsoft Ignoring Security Vulnerabilities

This week saw security researchers announcing, not one, but two vulnerabilities within Microsoft products. Despite being warned months previously of the problems by different security labs, Microsoft has either decided to ignore them or decide that they are not a problem. The first vulnerability relates to Microsoft’s Edge browser while the second vulnerability is found within the Window’s kernel. Earlier in the year, the tech giant responded well and patched vulnerabilities in conjunction with other security firms. This led many to believe Microsoft was trying to turn the leaf with regards to security issues of which they had been criticised for previously. With the latest vulnerabilities, it seems that the leaf has remained unturned.

Researchers at Cisco Talos discovered a vulnerability in Edge which related to the Content Security Policy enforcement feature within the browser. Apple’s Safari browser and Google’s Chrome browser were discovered to have similar vulnerabilities. Unlike Microsoft, both Apple and Google patched the vulnerabilities. The patches are Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), administrators are advised to make sure the latest patches are downloaded and installed if the above-mentioned browsers are used.

TrickBot Evolves…Again

Fast becoming the favored banking Trojan, TrickBot has been updated to steal funds from Coinbase accounts. Coinbase seems to be having a torrid time of late with a surge of complaints from its customer base for the year so far. The rise in complaints has been a reported staggering 4,700% when compared to last year. The total for 2016 is 6 complaints. The amount for 2017 so far is sitting at 442. Any real or perceived vulnerabilities to the platform offered by Coinbase may signal battle stations.

As for TrickBot, since June of this year, it has been updated every month to target more than just the traditional banking sector. Given that recently Bitcoin reached the $5,000 mark on Friday before initiated a mass selloff and returning to $4,500, been able to steal such a highly volatile commodity must be on many hackers Christmas lists. As a malware strain, it is relatively new, first surfacing in the wild in the autumn of 2016. It is believed to be created by some of the Russian hackers behind the Dyre banking Trojan, with some of the operators being arrested in 2015 in Russia. This sentiment is shared by many within the cyber security sector.

Gazer: Cyberespionage Backdoor Emerges

Researchers at both ESET and Kaspersky Lab's Global Research and Analysis Team have uncovered a new backdoor allegedly used by the infamous Turla group. The backdoor has been used to spy on consulates, ministries and embassies worldwide to spy on governments and diplomats. This campaign has reportedly been in action since 2016 and it appears that embassies and consulates of old Eastern Bloc countries were the main targets of the campaign. ESET researchers have termed the backdoor Gazer while Kaspersky Lab's Global Research and Analysis Team have named it Whitebear. Despite the differing names both organisations believe it to be attributed to the Turla group, famed experts of cyber espionage who have been active since the internet was in its infancy and are alleged to have the backing from Russian Intelligence Services.

Multi-Platform Virus Spread Through Facebook Messenger

Security experts are warning against opening messages sent to Facebook users with a video link attached. Do not open the video even if sent by a friend. The video links to numerous fake websites, depending on the users OS and browser, in an attempt to install malicious software on their systems. The attackers make use of social engineering to lure the potential victim into clicking on the required links. On the initial message, it will read “< your friend name > Video” followed by a link. Researchers are yet to determine how the malware spreads, they assume spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link.

David Jacoby, the researcher at Kaspersky Labs who discovered the malware when he received a message from a friend on Facebook he hardly speaks to. He immediately knew the message was suspicious and began analysing the message. In a short space of time, he discovered that the message was indeed part of an advanced and carefully crafted adware campaign capable of infecting user’s systems across platforms be they Windows, MacOS, and Linux.

CS:GO Cheaters Get More than Paid For

Players of the popular first person shooter Counter Strike: Global Offensive (CS: GO) got more than they bargained for if they looked to download an app which allows users to cheat. The app modified to operate on macOS would also download and install a cryptocurrency miner unbeknownst to the cheater. The age old lesson of “Cheaters never prosper” is most apt in this situation as those looking to cheat would be aiding hackers in accruing Monero, a favoured cryptocurrency of hackers worldwide because of its increased anonymity features.

Players looking to get a leg up on their competition in a less than an ethical way by downloading the vHook app from the website The original version of vHook was not Mac compatible but was advertised on YouTube. The latest version is based on the original vHook, termed Barbarossa, and was modified by a GitHub user going by “fetusfinn”. It appears as though the GitHub user was also the one who added the cryptocurrency miner to the code. The evidence for this resides in the use of the OSX.Pwnet.A miner that features debugger symbols that seem to reference the user name, Finn.

DDoS Tsunami

With Kaspersky Labs releasing their malware report focussing on the second quarter of this year as well as research conducted by Cisco and Umbrella there seems to be a marked rise in DDoS attacks. Many of these attacks seem to be originating in Southeast Asia, with many of the attacks targeting businesses and corporations within China.

Most recently there has been a marked rise in the instance of DDoS services for hire. These are sometimes referred to as DDoS booters or DDoS stressors. Many of which have appeared in China seemingly using the same platform. It could easily be assumed that the same authors could be offering multiple services across a variety of platforms. This could be done to increase market dominance, however, researchers at Cisco revealed the opposite to be true.


Page 13 of 25

<< Start < Prev 11 12 13 14 15 16 17 18 19 20 Next > End >>