Internet threat news

RuNet Disconnection Tests Successful According to Moscow

On December 23, Russian news agencies began reporting that the government had concluded a series of tests designed to disconnect Russia from the Internet. The tests involved Russian government agencies, local internet service providers, and local Russian internet companies with the main aim of the tests to see whether the country's national internet infrastructure, called RuNet, could function without access to the global DNS system and global Internet infrastructure. The Russian government concluded that the test was a success as Internet traffic was routed internally, effectively creating a massive intranet.

At the time of writing the public will have to take the government’s word for it as no technical data has been released to the public. Government officials stated that several disconnection scenarios were tested, including a hostile cyber-attack scenario from a theoretical foreign power. Alexei Sokolov, deputy head of the Ministry of Digital Development, Communications and Mass Media, further stated that the results of the successful test would be presented to President Vladimir Putin next year. Sokolov further summarised the success of the test as,

   
Chinese APT Group Seen Bypassing 2FA

In a recent report security researchers have found evidence showing that a Chinese state-sponsored hacking group, APT20, has been able to bypass two-factor authentication (2FA) in a recent campaign. Advanced persistent threat (APT) groups are typically defined as groups, more often than not state-sponsored, who gain access to a specific network and are able to operate for long periods of time before discovery. APT20, or Wocao, is such a group and appeared until very recently to have gone on a hiatus with not much known of their operations for periods spanning 2016 and 2017.

In the report published by Fox-IT, it was shown that the group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks. As mentioned above, security researchers seemed to lose track of APT20 activity during the period from 2016 to 2017. I’m sure some hoped they were gone for good but given the current research, the group changed its tactics fairly considerably. Based on this new information it would seem the group has been active over the last two years.

   
Legion Loader Drops a Hornet’s Nest of Malware

What could be worse than being infected by one piece of malware? The answer is painfully obvious, in that more than one infection is worse. What started as a lame joke may be a reality for organizations infected with Legion Loader. In a recent campaign discovered by researchers, a threat actor is attempting to infect as many machines as possible with a loader capable of dropping multiple malware strains.

Discovered by researchers at Deep Instinct who subsequently published their findings in an article, details how what various strains are dropped during the attack. Due to the number of malware strains dropped the researchers have dubbed this campaign “Hornet’s Nest.” It is not yet known how victims are infected with the initial Legion Loader but the attack is being offered as a cybercrime-as-a-service operation. Despite not knowing the initial attack and infection vectors, Legion Loader is written in C++ and still appears to be under development. Clues in the code also suggest that the loader is developed by a Russian speaker and based on the current attack pattern the operators are targeting organizations in the US and Europe.

   
Visa Warns that North American Fuel Pumps are been targeted by FIN8

Payment processing giant Visa warns that North American fuel pumps are currently being targeted by cybercrime syndicates looking to install Point of Sale (PoS) malware across their networks. PoS malware is typically seen as malware designed to steal credit card information from the point of sale devices commonly used in shops, as well as fuel pumps, to process debit and credit card transactions.

The malware works differently when compared to banking trojans and other malware designed to steal financial information. This is because payments processed through such devices are encrypted so that if the information is intercepted it can’t be read by prying eyes. The decryption of the data only occurs in the PoS device’s random-access memory (RAM), where it is processed. PoS malware specifically targets the RAM to steal the unencrypted information. The process is called RAM scraping and is made possible via built-in backdoors and command and control features abused by hackers.

   
Microsoft Reveals Fiendish Phishing Tactics

Phishing, namely the fraudulent attempt to gain an individual's personal information or credit card information via the use of emails and fake websites, continues to be a favored tactic employed by hackers to part users with money and information that can be used for identity theft. In a recent blog post has revealed three of the more cunning phishing operations they discovered for the year of 2019.

Over the years protections against phishing have increased and become incredibly effective, preventing billions of malicious phishing emails from reaching end-users. This has in a sense created an arms war between cybercriminals and those looking to secure machines and networks. Researchers at Windows’ Office 365 Advanced Threat Protection noticed an escalation in the tactics used as well as techniques involving the abuse of legitimate cloud services like those offered by Microsoft, Google, Amazon, and others. The first cunning case study involves the use of URLs that point to legitimate but compromised websites.

   
Snatch Ransomware has a New Trick

New and novel ways to further a malware main objectives do not happen too often. Hackers prefer to use tried and tested means to distribute and deploy malware. Even the development of new malware is generally done by veteran groups of hackers with a certain skillset. When a new trick is seen interest is raised accordingly amongst researchers and journalists. The trick that has gotten all the attention lately was created by the malware authors behind the Snatch ransomware. The trick involves rebooting the infected machine into Safe Mode and then encrypting files. This is done in an attempt to avoid detection.

In a recent report published by Sophos, researchers noted that the trick works because some antivirus packages do not start in Safe Mode, the mode is used to recover from a corrupted operating system. This is likely the first time such a tactic has been seen in the wild. This is novel for a second reason as the majority of malware currently circling the Internet does not persist on the machine after a reboot, meaning Snatch has been designed to persist and function after the machine has been rebooted in Safe Mode.

   
Great Cannon Resurrected

After a two year hiatus the botnet, named Great Cannon, has been resurrected back to life to carry our DDoS attacks. A distributed denial of service (DDoS) attack is a malicious attempt to disrupt the traffic heading to a server, network, or website by flooding the infrastructure with traffic. This is done by utilizing compromised machines, referred to as sometimes as bots, to continually send requests to the target. Another method used to carry out the attacks is to intercept other legitimate traffic and then redirecting that traffic towards the victim. This works by essentially causing a traffic jam as the server cannot deal with all the requests and cannot deal with legitimate traffic denying users the service offered.

Great Cannon was last seen in 2017 when Chinese authorities used it for DDoS attacks against Mingjingnews.com, a New York-based Chinese news site. Now the DDoS botnet is been used to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests. Great Cannon made a name for itself when it was used to attack GitHub and GreatFire.org. GitHub was targeted for hosting tools to aid Chinese users to bypass China's national firewall, while GreatFire.org was targeted because it exposes internet censorship across the globe.

   
PyXie RAT Stealing Credentials and Passwords

Researchers have discovered a new remote access trojan (RAT), that is currently being used to steal login credentials, record video, and includes a keylogging component to assist in its objectives. Given the amount of news surfacing regarding ransomware and exploit kits most can be forgiven if they forgot RATs are still a threat. A RAT forms part of the trojan family of malware and includes a backdoor which grants administrative control of the machine infected. RATs tend to be downloaded invisibly via a user-requested program. They are also difficult to detect because they usually don't show up in lists of running programs or tasks. The actions they perform can be similar to those of legitimate programs. Furthermore, an intruder will often manage the level of resource use so that a drop in performance doesn't alert the user that something's amiss.

   
South Korean Cryptocurrency Exchange has $48.5 Million Stolen

Cryptocurrency exchanges have been a target for hackers wanting to get their hands on cryptocurrency when they first began offering their services. Now, according to a statement made by Upbit, a South Korean cryptocurrency exchange, they have suffered a 48.5 million USD loss as a result of hackers. On November 27, 2019, the company suspended all deposit and withdrawal services, stating 342,000 in Ethereum (ETH) had been stolen from one of the companies Upbeat Ethereum hot wallets to a previously unknown wallet address.

According to Lee Seok-woo, chief executive of Doo-myeon, the operators of Upbit, the attack took place at 1:06 pm Korean time on November 27. Other than that very little is known as to the nature of the attack as well as who may be behind the attack. However, the wallet used by the hackers could be traced and showed that the stolen Ethereum was done over the course of 17 transactions. At the time of writing the cryptocurrency was still in the wallet. In the statement, Leon Seok-woo stated that Upbit assets will cover the stolen funds and customers will not be impacted beyond an estimated two-week timeframe for deposit and withdrawal services to resume. It was further noted that any cryptocurrency that was still in the affected hot wallet had been transferred to a cold wallet not connected to the Internet.

   
Exploit Kits are Evolving to Become Fileless

Exploit kits like RIG and Fallout made news headlines for being associated with the distribution of Sodinokibi and GandCrab respectively. By been used to distribute some of ransomware's biggest players researchers have noted a rise in popularity of other hackers and malware authors using exploit kits to drop other forms of malware onto unsuspecting victims. This popularity seems to have driven another evolution in the history of exploit kits in that three out of nine exploit kits analyzed by researchers have migrated to being fileless.

   
New Roboto Botnet Turning Linux Servers into Zombies

When asked to think of a botnet, any botnet, many researchers and journalists will list Emotet. The botnet is, without doubt, one of the more dangerous Botnets seen in recent memory. Been used to distribute the Ryuk ransomware will most certainly grab headlines and the attention of those who made cybersecurity their careers. A new botnet recently discovered, called Roboto, will also look to dominate headlines in the near future. Not for features it boasts but rather the network infrastructure behind it.

Typically in the past Botnets were seen as a collection of internet-connected devices turned into bots by malware to run DDoS attacks, steal data, and send spam. Newer botnets can also be seen distributing other forms of malware, like in the case of Emotet. Traditionally, most botnet operations have been associated with carrying out DDoS attacks, however, as hackers saw that their botnets could be used for other purposes they looked to add a raft of features to run multiple applications.

   
Retail Giant Macy’s Suffers Data Breach

On November 14, 2019, US retail giant Macy’s announced that it had suffered a data breach. The breach appears to be the result of another Magecart attack, with Macy’s now be added along with British Airways to a list of high profile Magecart attacks. In a Magecart attack, the hacker targets the shopping cart feature on an eCommerce website. The hacker injects malicious code into the function which allows the hacker to skim credit card details and send them to a command and control server. In the Macy’s incident malicious code was added both to the checkout and shopping cart pages which allowed the hacker to steal even more customer information.

According to the announcement, the checkout and cart pages were hacked on October 7 with the hack only been detected on October 15. This means that for a week any details entered on the compromised pages could have been collected by the hacker. The attackers in this instance were able to access customer information and credit card information that includes the customer's first name, last name, address, city, state, zip, phone number, email address, payment card number, CVV number, and card expiration details. The retail giant noted,

   
Hospital Forced to Fight a Different Virus

Hospitals around the world have a lot on their plate, dealing with life-threatening emergencies and illnesses on a minute to minute basis. Increasingly hospitals also now have to fend off another kind of virus, that of malware and in particular trojans. Due to the incredibly sensitive patient information stored on a hospital's network, they have become juicy targets for hackers, with some trying their utmost to gain access to those networks. Malwarebytes recently released a report titled Cybercrime tactics and techniques: the 2019 state of healthcare which paints a pretty worrisome picture of the battle raging on hospital networks.

Some of the report's key takeaways have been highlighted in a blog post for those not wanting to read the entire report. What researchers have determined is that the increase in attacks on hospitals is been driven by numerous factors, with one such factor being that hospitals are often guilty of not securing sensitive data correctly making it easier for hackers to steal. Other factors include exploiting vulnerabilities found on legacy software which remains unpatched and the effective use of social engineering to get hospital staff to unknowingly download malware. Researchers also found that no matter the size of the healthcare institution it would be targeted, whether small private hospitals to far larger healthcare enterprises.

   
The BlueKeep Saga

When news broke about the Spectre and Meltdown vulnerabilities at the start of 2018 a lot of fuss was made as to how potentially dangerous these vulnerabilities were if exploited correctly. The fuss may have been justified as it may have provoked people to update their systems when patches were released. Even if you are not Nostradamus you could predict that a similar vulnerability would grab headlines for the danger it posed. That vulnerability did come forth in May of this year, CVE-2019-0708, named BlueKeep. The jury is still out on whether it needed the attention given to it and whether it posed the danger, namely been wormable, as advertised. Microsoft is still warning users that the threat is real and can be leveraged in dangerous attacks.

   

Page 3 of 32

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal