Internet threat news

Once EternalBlue was released into the wild by the Shadowbrokers it was predicted that its effects would be far-reaching. Time has proven those predictions correct with many hacking groups around the global adding yet another tool in spreading malicious payload. In this instance the creators of the banking Trojan Retefe have leveraged EternalBlue in order to spread across computers via unpatched and outdated SMB servers.

Earlier this year Emotet and TrickBot were discovered by security researchers sporting highly customised version of EternalBlue. This was at a period where the use of worms to spread malicious payloads across networks was declining with some thinking the malware variant to be dying a slow death. Upon the emergence of EternalBlue new life was seemed to be breathed into something that was thought to be a relic of the recent past. Other than seeing worms become fashionable once more, how banking Trojans were used and operated also changed. In the past those deploying such Trojans would like them to remain undetected for as long as possible, now it seemed they wanted to infect as many computers as possible thus gaining a vast amount of credentials in a smaller space of time. This would have been the trade-off for being easier to detect one can assume.

Cryptocurrencies are fast becoming, if not already, a massive investment tool that is rewriting the rules as to what the currency currently in your wallet can be. With innovation often comes teething problems, these in themselves are not a worry. What is a worry is how malware authors are exploiting innovative ideas for short-term gain. This is hardly new and seems to be an information age constant in that if a tool or idea can be abused to swindle and extort it shall. This maxim is probably not even an information age phenomenon but one that pervades human history.

Coinhive appears to have started its life fairly innocently. As a tool Coinhive could be used by website owners to generate extra income rather than utilizing ad banners. It is essentially a java library that can be added to the website which when visited by a visitor Coinhive will use a percentage of the visitors CPU to mine Monero. Once the visitor is no longer on the page Coinhive will stop mining using the visitor’s CPU. The Pirate Bay, the famous or infamous depending on which side of the piracy fence you sit, began trailing Coinhive rather than having ad banners on their torrent website. Users were notified about the trial and its implications but were soon dropped by The Pirate Bay due to negative user feedback.

On Tuesday news broke that the latest version of CCleaner, a popular application owned by Avast, had been hacked, little was known as to the attacker’s intention. As is often the case with attacks conducted by knowledgeable and experienced attackers the targets and aim are exceptionally difficult to ascertain. Given time and dedicated research teams often these can be determined but determining who is responsible is harder.

The CCleaner hack was pulled off by modifying version 5.33 to include Floxif malware as reported by Cisco Talos and MorphiSec. Initially, it was believed that users who downloaded the jeopardized version merely downloaded a fake version of CCleaner. Researchers later determined that the version was indeed legitimate and CCleaner’s supply chain was jeopardized. Ultimately it was determined that Floxif, a malware downloader, was used in this instance to collect information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part.

When Equifax announced at the start of September that it had been a victim of a massive data breach and given the companies unique position of been one of the three major credit unions in the United States, everyone knew heads would roll. This feeling would only be exacerbated when late on Friday, eastern standard time, the company released a press statement detailing the incident and announcing the resignation of both the Chief Information Officer and Chief Security Officer.

The press release also confirmed that potentially the personal information of over 143 million U.S. citizens has been impacted with at least credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. Added to that Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents. Many, if not all, of the above statistics regarding the incident were speculated upon in the media, the press release by Equifax serves as confirmation.

Microsoft, as part of September Patch Tuesday, has released patches for a total of 81 CVE listed vulnerabilities of varying severity. The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE). The updates are applicable to all Microsoft products that are currently supported.

Four of the patches are known and have already been exploited in the wild. One of the vulnerabilities was previously unknown to the public with details been released on September 12. The previously unknown vulnerability was discovered by researchers at FireEye and privately reported to Windows, with both parties only releasing details to the public in conjunction with the release of the patch.

When news of hacks, data breaches, and malware attacks break on mainstream media one knows that the seriousness of the situation can be rarely questioned. When it happens to a company responsible for generating a large portion of credit scores for the American public and advertises the latest advances in ID theft protection those with a sense of humor might comment how ironic the situation is, those who may have their identities were stolen as a result probably won’t be laughing.

News broke on September 7 when Equifax announced that it had suffered a major data breach. Essentially 143 million Americans, including a few British and Canadian citizens, had their incredibly sensitive personal information exposed and potentially stolen. Information which was jeopardized included consumers' names, Social Security numbers, and birth dates for 143 million Americans, and in some instances, driving license numbers and credit card numbers for about 209,000 citizens.

This week saw security researchers announcing, not one, but two vulnerabilities within Microsoft products. Despite being warned months previously of the problems by different security labs, Microsoft has either decided to ignore them or decide that they are not a problem. The first vulnerability relates to Microsoft’s Edge browser while the second vulnerability is found within the Window’s kernel. Earlier in the year, the tech giant responded well and patched vulnerabilities in conjunction with other security firms. This led many to believe Microsoft was trying to turn the leaf with regards to security issues of which they had been criticised for previously. With the latest vulnerabilities, it seems that the leaf has remained unturned.

Researchers at Cisco Talos discovered a vulnerability in Edge which related to the Content Security Policy enforcement feature within the browser. Apple’s Safari browser and Google’s Chrome browser were discovered to have similar vulnerabilities. Unlike Microsoft, both Apple and Google patched the vulnerabilities. The patches are Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), administrators are advised to make sure the latest patches are downloaded and installed if the above-mentioned browsers are used.

Fast becoming the favored banking Trojan, TrickBot has been updated to steal funds from Coinbase accounts. Coinbase seems to be having a torrid time of late with a surge of complaints from its customer base for the year so far. The rise in complaints has been a reported staggering 4,700% when compared to last year. The total for 2016 is 6 complaints. The amount for 2017 so far is sitting at 442. Any real or perceived vulnerabilities to the platform offered by Coinbase may signal battle stations.

As for TrickBot, since June of this year, it has been updated every month to target more than just the traditional banking sector. Given that recently Bitcoin reached the $5,000 mark on Friday before initiated a mass selloff and returning to $4,500, been able to steal such a highly volatile commodity must be on many hackers Christmas lists. As a malware strain, it is relatively new, first surfacing in the wild in the autumn of 2016. It is believed to be created by some of the Russian hackers behind the Dyre banking Trojan, with some of the operators being arrested in 2015 in Russia. This sentiment is shared by many within the cyber security sector.

Researchers at both ESET and Kaspersky Lab's Global Research and Analysis Team have uncovered a new backdoor allegedly used by the infamous Turla group. The backdoor has been used to spy on consulates, ministries and embassies worldwide to spy on governments and diplomats. This campaign has reportedly been in action since 2016 and it appears that embassies and consulates of old Eastern Bloc countries were the main targets of the campaign. ESET researchers have termed the backdoor Gazer while Kaspersky Lab's Global Research and Analysis Team have named it Whitebear. Despite the differing names both organisations believe it to be attributed to the Turla group, famed experts of cyber espionage who have been active since the internet was in its infancy and are alleged to have the backing from Russian Intelligence Services.

Security experts are warning against opening messages sent to Facebook users with a video link attached. Do not open the video even if sent by a friend. The video links to numerous fake websites, depending on the users OS and browser, in an attempt to install malicious software on their systems. The attackers make use of social engineering to lure the potential victim into clicking on the required links. On the initial message, it will read “< your friend name > Video” followed by a bit.ly link. Researchers are yet to determine how the malware spreads, they assume spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link.

David Jacoby, the researcher at Kaspersky Labs who discovered the malware when he received a message from a friend on Facebook he hardly speaks to. He immediately knew the message was suspicious and began analysing the message. In a short space of time, he discovered that the message was indeed part of an advanced and carefully crafted adware campaign capable of infecting user’s systems across platforms be they Windows, MacOS, and Linux.

Players of the popular first person shooter Counter Strike: Global Offensive (CS: GO) got more than they bargained for if they looked to download an app which allows users to cheat. The app modified to operate on macOS would also download and install a cryptocurrency miner unbeknownst to the cheater. The age old lesson of “Cheaters never prosper” is most apt in this situation as those looking to cheat would be aiding hackers in accruing Monero, a favoured cryptocurrency of hackers worldwide because of its increased anonymity features.

Players looking to get a leg up on their competition in a less than an ethical way by downloading the vHook app from the website vlone.cc. The original version of vHook was not Mac compatible but was advertised on YouTube. The latest version is based on the original vHook, termed Barbarossa, and was modified by a GitHub user going by “fetusfinn”. It appears as though the GitHub user was also the one who added the cryptocurrency miner to the code. The evidence for this resides in the use of the OSX.Pwnet.A miner that features debugger symbols that seem to reference the user name, Finn.

With Kaspersky Labs releasing their malware report focussing on the second quarter of this year as well as research conducted by Cisco and Umbrella there seems to be a marked rise in DDoS attacks. Many of these attacks seem to be originating in Southeast Asia, with many of the attacks targeting businesses and corporations within China.

Most recently there has been a marked rise in the instance of DDoS services for hire. These are sometimes referred to as DDoS booters or DDoS stressors. Many of which have appeared in China seemingly using the same platform. It could easily be assumed that the same authors could be offering multiple services across a variety of platforms. This could be done to increase market dominance, however, researchers at Cisco revealed the opposite to be true.

Hackers are continually innovating and becoming fundamentally sneakier in how they are targeting business. In the NotPetya attack earlier this year we saw hackers dropping malicious code into legitimate accounting software updates. Another instance of corrupting software update mechanisms has again been used. Researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have detected another similar styled attack. Dubbed ShadowPad the secret backdoor gave attackers complete control over networks hidden behind legit cryptographically signed software sold by NetSarang. Founded in 1997 NetSerang develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks. The company has headquarters in both the United States and South Korea with the company boasting clients from banks, media firms, energy companies, and pharmaceutical firms, telecommunication providers, transportation and logistics and other industries.

In a report compiled by researchers at FireEye, it appears it is not only cyber criminals using the leaked NSA tool commonly referred to as EternalBlue. Many will recognise the name as it is the vulnerability (CVE-2017-0143) that assisted in making the WannaCry and NotPetya attacks earlier this year international headlines. Since it was leaked into the wild by the hacking group the Shadow Brokers, EternalBlue has been used in various forms of malware campaigns whether ransomware or in Trojans and miningbots. EternalBlue leverages a vulnerability in Microsoft’s SMB version 1 networking protocol in order to spread laterally across networks in order to deliver a malicious payload. It was only to be a matter of time till researchers discovered it being used for cyber espionage purposes.

In this instance, it is been used to steal credentials from high-value guests staying in hotels across Europe. The security researchers at FireEye believe with moderate confidence the hackers belong to the hacking group Fancy Bear who has been operational since 2007.