Internet threat news

FIN6 Now Deploying Ransomware

In the middle of March 2019, we covered the emergence of a new POS malware, DMSniff. The article further highlighted the threat posed SMBs and retailers posed by malware specifically designed to scrap card details from POS machines when a card is swiped. Central to this threat is one group FIN6 and their use of the Trinity to steal and later sell card details on hacker forums which roped them in millions upon millions of dollars. According to a report published by security firm FireEye, FIN6 are now deploying ransomware in where it cannot infect the target with its created POS malware.

FIN6 has been linked to numerous attacks netting in millions of dollars. Researchers at FireEye describes the group and its tactics as,

Trojan Poses as Security App

Security firm TrendMicro has discovered a new variant of the XLoader trojan is targeting Android devices by posing as a security app. Mac users are not out of the woods either as the trojan also attempts to infect iPhones and iPads through a malicious iOS profile. Previously researchers have seen Xloader posing as both Facebook and Chrome. This latest variant includes a new deployment technique and modifications to the source code.

The malware is also hosted on fake websites that mimic legitimate domains, this is done in an attempt to trick users into downloading what they believe is a legitimate and necessary security product. Researchers also found that links to the malicious websites are sent to potential victims using SMiShing, short for SMS phishing.

Instances of Torrent Malware Down

Hackers and cybercriminals are just as susceptible to trends to the millions upon millions of social media users. In the case of hackers, a trend is often determined by ease of use and chances of securing an easy payday rather than what the latest celebrities are promoting. More often than not security firms publish findings on the drastic increase in one type of malware or the other. In a turn of events, Kaspersky Labs published findings of how one method of distributing malware is finding less favor among hackers.

ASUS Software Abused in Supply Chain Attack

According to an article published by security firm Kaspersky, the Taiwanese tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool. This was a result of hackers compromising the company’s server and used it to push the malware to machines. The company appears to be the unwitting participant in the whole affair and the malicious file used a legitimate ASUS digital certificates to make it appear to be an authentic software update from the company. The attack by the attackers can be regarded as a textbook supply chain attack.

A supply chain attack can be defined as when a malicious actor injects malicious code into the source code of a software product without the software company been aware of the initial malicious injection. There have been many examples of these attacks through the years but perhaps one of the most infamous in recent memory was the NotPetya attacks which occurred in 2017. Hackers are drawn to this attack method as it has multiple advantages. One of the biggest advantages is the difficulty of detection as the attack requires the hacker to create a backdoor to legitimate, certified software as companies will use their security team to prevent attacks from outside the company and not during software development. Further, companies are hesitant to report such attacks to authorities as they are scared of the reputational damage that is bound to occur.

FDA Issues Warning Concerning Heart Implants

Right on the end of May 2017, we published an article detailing how researchers had discovered over 8,600 vulnerabilities in pacemakers. These vulnerabilities were found across four producers of several products defined as pacemakers and some were discovered in radio controlled devices. On March 21, 2019, the US Food and Drug Administration, known as the FDA, for short, issued a warning over a critical flaw affecting scores of Medtronic heart defibrillators that allows a nearby attacker to change the settings of a patient's cardiac device by manipulating radio communications between it and control devices. This alert further highlights the cybersecurity difficulties experienced by the community and globe regarding internet of things (IoT) devices. It is important to note that Medtronic pacemakers are not affected by the recent vulnerability discovery.

Aluminum Giant Hit by Ransomware

On March 19, 2019, Norwegian aluminum production giant Hydro announced that it had suffered a cyber-attack. Further, the company announced that it was a ransomware infection that affected the entire company. This can be seen as a major cybersecurity event as, since the start of 2019, there have not been major ransomware incidents that targeted companies which led to the company having to shut down operations to any degree. This attack also further illustrates how hackers using ransomware have changed tactics targeting government organizations and large companies. Earlier in March Jackson County in the US has hit by a ransomware attack which shut down local government websites, however, the potential cost of the Hydro incident will pale in comparison when loss of earnings and other factors are considered.

Mirai Botnet Upgraded

Recently published research shows that the infamous Mirai botnet has been upgraded to attack to new classes of Internet of Things (IoT) devices, those been smart signage TVs and wireless presentation systems. This at first glance does not appear to be a major revelation, what is worrying is how the authors of Mirai appear to have spent a lot of time and effort into these upgrades. The upgrades center around the inclusion of new exploits which have been added to older versions of the botnet. With the rise of IoT devices so did the rise of botnets, a malware type which can be defined as a collection of internet-connected devices, which may include PCs, servers, mobile devices, and importantly for Mirai’s case internet of things devices that are infected and controlled by the malware. This creates a network which can be used by a malicious actor to send email spam, engage in click fraud campaigns, and generate malicious traffic for distributed denial-of-service (DDoS) attacks.

POS Malware Seen Targeting SMBs

Waking up to a notification from your bank saying that you spent a lot of money on some online purchase from a company in a country you’ve never thought of visiting is a horrible way to wake up. Cybercriminals have a unique ability to ruin days, even those of people careful with their credit cards. You make sure when you swipe your bank cards you are present or even swipe yourself to combat card skimming fraud and protect your details. What then if the POS (point of sale) device has been compromised with malware designed to steal your credit card details unbeknownst to you and the retailer?

In research published by Flashpoint, this is a reality facing both customers and small to medium businesses (SMBs). Malware called DMSniff is actively been used to target restaurants, cinemas, and other retailers in the entertainment and hospitality industries. The malware is believed to be active since 2016 has managed to fly under the radar until now, having been uncovered with the key targets of campaigns been small and medium-sized companies which rely heavily on card transactions, such as the food, hospitality and entertainment industries. This is not the first malware researchers have seen targeting POS machines bur DMSniff includes a unique feature designed to continually send stolen details even if the command and control (C&C) server operated by the cybercriminals has been shut down.

Jackson County Forks Out $400,00 for Ransomware Payment

It was a commonly held belief that hackers using ransomware would only go after private individuals. When WannaCry struck this belief was well and truly shattered. Increasingly hacker groups are seeing the value of attacking government organizations, hospitals, and companies. One of the reasons for this is that, particularly in the case of government departments and organizations, the systems are large, sometimes complex, and often using software that is no longer supported by the manufacturers. Jackson County, a rural area in Georgia, USA, has experienced this the hard way after suffering a ransomware attack, of which, they paid the hackers 400,00 USD for the decryption key just to have access to critical infrastructure.

On March 1 news reports began surfacing that Jackson County had suffered a ransomware attack which affected the county’s internal networks. According to Jackson County’s website, a civic alert notified the public that most of their systems were offline. Fortunately for emergency operators the systems assisting the 911, emergency services were unaffected by the attack. In an interview with StatesScoop Sheriff, Janis Mangum stated,

Cyber Espionage Group behind SingHealth Breach Identified

Towards the end of July 2018, it was reported that SingHealth, a medical services provider in Singapore, suffered a major data breach where approximately 1.5 million patients had their records exposed. At the time AFP that the initial analysis was done by Singapore's Cyber Security Agency and that the attack indicated “a deliberate, targeted, and well-planned cyber-attack and not the work of casual hackers or criminal gangs,” No one was directly attributed to the attack and officials declined to comment on whom they believed to be responsible. However, one of the victims of the breach was Prime Minister Lee Hsien Loong illustrating that nobody is immune to being targeted by a sufficiently motivated hacker group.

At the time of the data breach, authorities and security firms were hesitant to attribute the attack to a particular group or individual, and perhaps rightly so as hasty conclusions regarding attributing the attack could lead numerous headaches. While no group was directly named it was believed state actors may have been responsible given the nature of the breach. That did not mean that authorities and security firms were resigned to not prove who was behind the attack. According to a report published by Symantec, the attack can be attributed to a group codenamed Whitefly. IN the past the group has attacked organizations in healthcare, media, telecommunications, and engineering, and is likely part of a larger operation targeting other nations. The report which was published on Wednesday, March 6, 2019, details how the previously unknown group was determined to be Whitefly. The group appears to have been operating since 2017 and primarily targeted organizations in Singapore. The group appears to be focussed on stealing massive amounts of data including large volumes of sensitive data.

Ransomware Attack on Israeli Websites Fails Horribly

Over the past weekend, hackers launched a ransomware campaign in an attempt to infect millions of Israelis. Based on current evidence it is believed that the hackers are operating out of Palestine and may be affiliated with the #OpIsreal campaigns. OpIsreal forms part of nearly yearly cyber-attacks against the Government of Israel as well as private websites operated from Israel. The main goal of the annual campaign is “erasing Israel from the Internet”. Popularity and public support behind the campaigns have been decreasing steadily over the years. According to SenseCy participants in the campaigns have decreased steadily from over 6000 in 2014 to just 600 in 2017.

While popularity for OpIsrael is on the decline, the group has experienced some successful campaigns, mainly the denial of service attacks on Israeli websites in 2013, in protest to Israel’s policies regarding Palestine. If the latest ransomware campaign is indeed part of OpIsrael, it might signify a switch in tactics from hacktivism to merely cybercrime devoid of a moral imperative. On March 2, 2019, hackers successfully poisoned DNS records for Nagich, a web service that provides an accessibility widget that is embedded on thousands of Israeli websites to provide access for persons with reading disabilities. Hackers then used the widget to automatically embed malicious code on thousands of Israeli websites. The code would first publish the message “#OpJerusalem, Jerusalem is the capital of Palestine,” then proceed to initiate an automatic download for a Windows file named “flashplayer_install.exe” a file tainted with ransomware.

Coinhive Throws In the Towel

What started it out with the intention of being an innovative way to replace banner ads on websites turned into an incredibly popular piece of malware. When Coinhive began its life it was innocent. Rather than web developers using space for ad banners they could add a JavaScript file to the browser which would use the visitors CPU to mine Monero, now infamously known as a favored cryptocurrency used by hackers around the globe. This mining was intended to occur only while visitors were on the web page and with their express consent. What started out innocently was quickly weaponized.

The Pirate Bay, provided a proof of concept test of Coinhive by asking users if they would prefer ad banners or the application to mine cryptocurrency while using the service. The torrent site known for its flagrant abuse of copyright law received a fair amount of criticism for the move, but it could be seen as a successful proof of concept. The Pirate Bay was eventually to receive ban orders due to copyright infringement and like with other similar torrent sites is involved in a perpetual cat and mouse game with authorities. Despite this many saw Coinhive as a potential technology to disrupt big corporations stranglehold on ad revenue.

WinPot Turns ATMs into Jackpot Machines

The dream of having an ATM give you money without ever deducting it from your bank account is a relatable dream for a large majority of the population. Real currency that can be spent as one wished with no repercussion on your own personal balance is too good to be true. Hacker’s beg to differ and have been hacking ATMs for years, often relying on the fact that most ATMs have outdated software, in most cases older versions of Microsoft, that has long since been abandoned and no longer receiving any support.

According to research published by Kaspersky Labs a new piece of malware designed specifically to hack ATMs. Called WinPot, quite literally turns the ATM into a slot machine. However, a slot machine implies there is a chance of winning. WinPot allows the “player” to always win and illegally receive cash from the machine. In order to install this type of malware the hacker needs either network access or to be able to physically access the machine itself. As detailed in another report published by Kaspersky Labs details how just using a 15 USD drill and drilling in the right spot will grant a hacker serial access to the computer within the ATM. Once this is done it is relatively simple to install the malware which replaces the ATMs normal display with four buttons labeled “SPIN”. Each “SPIN” button represents one of the four cassettes, the cash dispensing containers, in the ATM. When the hacker selects one cash is dispensed from that container. Kaspersky does not name the ATM brand but wisely just refers to it as a “popular” ATM brand.

Microsoft Reveals New Fancy Bear Campaign

It is no over-exaggeration to say that APT 28, also called Fancy Bear, has become a thorn in the side of law enforcement and security researchers. Fancy Bear is believed to have links with Russian military and intelligence agencies including the GRU, or the Main Directorate of the General Staff of the Russian Armed Forces for those wanting the entire name, which is the main intelligence agency serving the Russian armed forces. Fancy Bear is one of the most active advanced persistent threat groups on the planet and is believed to have played a pivotal role in the attacks upon the Democratic National Committee, both in 2016 and in 2018. Now Microsoft, in a blog post, that the group is actively targeting political organizations engaged in the upcoming the upcoming 2019 European Parliament election, due to be held in May 2019.

According to Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft, the Redmond based tech giant has recently detected activity targeting democratic institutions in Europe. The detections are as a result of Microsoft’s expansion of its Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) to protect customers across the globe. The malicious activity is also not isolated to the political sphere but often extend to think tanks and non-profit organizations working on topics related to democracy, electoral integrity, and public policy. These are organizations that are often in contact with government officials and other policymakers. As an example of this Microsoft detected attacks targeting employees of the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund. It was also stated that researchers detected attacks dating to between September and December 2018 targeting 104 accounts belonging to employees at various organizations, with the organizations been domiciled in Belgium, France, Germany, Poland, Romania, and Serbia.


Page 3 of 27

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Malware activity

Global virus and spyware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal