Internet threat news

FBI warns of Attacks Bypassing Multi-Factor Authentication

In a warning issued by the Federal Bureau of Investigation’s (FBI) cyber division private industries have been warned about attack able to bypass multi-factor authentication (MFA). According to the law enforcement agency, this is done through a combination of social engineering and SIM Swapping tools elaborated upon at a developer conference in June 2019. The warning specifically warns private industries and individuals about attacks using SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser. These tools when used in conjunction correctly can bypass soft forms of MFA, with the first being able to intercept login credentials and the later storing the data and hijacking the session cookie to log into now compromised accounts.

   
Magecart Attacks on the Rise

Since the first Magecart style attacks were detected in 2010 there have been over 2 million detections since then. These attacks continue to rise presenting a greater danger to online shopper unaware their credit card information can be stolen from their favorite eCommerce websites. Rather than Magecart representing one group or one specific piece of malware it has come to represent a unique attack tactic. Numerous groups are currently deploying Magecart style attacks in varying degrees of skill, some more advanced than others. The most infamous Magecart attack involved the breach of British Airways were the credit card data of nearly 400,000 customers were compromised.

A Magecart involves a hacker targeting the shopping cart systems found on eCommerce websites. The process of stealing the credit card data is known by as skimming and is done by the hacker injecting code, sometimes as little as 22 lines, into the cart's code. The code, often written in JavaScript is loaded when a customer attempts to checkout. The code then copies the credit card data entered by the customers and sent to the hacker’s command and control server.

   
Leaky Database Exposes the Data of 20 Million Russian Nationals

Exposed databases are becoming an increasing problem for the public. In a recent report published by Comparitech, along with Bob Diachenko, an exposed server exposed the personally identifiable information (PII) of over 20 million Russian nationals. PII is most commonly seen as any data that could lead to the identifying of the individual, credit card information, identity number, medical records, and social security numbers are all examples of PII. The sensitive information was exposed from 2009 to 2016 and formed part of an Amazon Web Services (AWS) Elasticsearch cluster. The cluster in question was not protected by any form of encryption or password protection.

Within the cluster, devoid of any form of security, researchers discovered multiple databases. It was two of these databases that would have been of particular interest to any hacker and in turn the researchers. The two databases contained PII and tax information belonging to individuals. This information could be used in targeted phishing attacks or identity theft campaigns.

   
Disinformation for Profit

For some time numerous nation-state actors have realized the power of effective disinformation campaigns. APT groups like Fancy Bear have long realized that including a disinformation campaign along with other operations can influence political events. The Democratic National Committee, along with the US Presidential Campaign incidents can be seen as a benchmark other nation-state actors would look to copy. However, it is not only nation-state actors who have seen potential value in disinformation campaigns, now hackers and other cyber-criminal organizations have begun advertising their skills in conducting such a campaign.

Disinformation campaigns typically involves the abuse of social media platforms to disseminate fake news articles designed to further the attacker’s goal. According to research published by Recorded Future researchers discovered hackers offering disinformation services on Dark Web forums. According to the researchers two separate hackers were seen advertising and conducting such campaigns in exchange for a fee.

   
Campaign Abusing Windows Narrator Discovered

Researchers have discovered a malware campaign targeting computers throughout Asia which looks to replace Windows Narrator with a malicious version. The malicious version, in turn, grants the attacker not only remote access but almost unfettered persistence. Windows Narrator forms part of Microsoft’s Ease of Access suite which is built into Windows 10 and operates as a screen reader. Narrator is designed to improve the accessibility of machines running Windows 10 so those with low-level vision can use the machine relatively unhindered. The software also replaces the mouse to receive voice commands and is compatible with braille displays.

Researchers working for BlackBerry Cylance discovered the campaign and noticed that the campaign targets predominantly systems belonging to technology companies based in Southeast Asia. In a report published by Cylance, it was noted that the attackers use a modified and open source piece of software which grants remote access. Called PCShare by its developers it is currently available via GitHub. The tool is heavily modified and customized for the campaign at hand, featuring a tailored command-and-control (C2) servers, encryption, and proxy bypass functionality. At the same time, all code not deemed useful to the attacker’s goals is removed from the source code.

   
New Malware Seen Targeting Indian ATMs

ATMs have long been viewed by hackers as instant jackpot machines compromised to spit out sums of money when malicious code is executed. They are not only machines which contain relatively large sums of cash but they also are a treasure trove of information begging to be stolen. Researchers based at Kaspersky Labs have discovered a new malware variant that is seemingly designed to go after the information rather than the cash, at least temporarily, as the information, data from bank cards inserted into the machine can be used later in a variety of ways for financial gain.

In a report published by Kaspersky Labs the malware, named ATMDtrack, had been seen targeting Indian ATMs and Bank since September 2018 with the latest activity associated been tracked to September 2019. In the newer attacks, researchers discovered a newer improved version of ATMDtrack, which they have subsequently called Dtrack, focusses more on spying and data theft rather than the stealing of data from bank cards. Dtrack is seen as more potent due to its increased features which include a Remote Access Trojan (RAT) that, when executed, would grant access to the infected computer to the attacker. The latest campaigns employing Dtrack have been seen targeting Indian research centers as well as banks.

   
New Hacking Group Seen Laying Foundation for Supply Chain Attack

A new hacking group has emerged from the shadows, dubbed Tortoiseshell by researchers, the group has been seen targeting IT companies. The reason behind it, it appears the group is laying the foundation for a supply chain attack. Such attacks can be a nightmare for organizations as they often target less secure elements of the organization, whether it be a third-party supplier or an in house system not properly secured which could grant access to the entire network.

According to a report published by Symantec the new group uses a combination of custom tools and off the shelf malware to conduct its operations. The group has been active since the middle of 2018 and in that time has targeted at least 11 IT providers. Most of the targeted IT providers reside in Saudi Arabia. According to the researchers, it appears that the hacker group aimed to gain domain level access, this would grant the group access to an organization’s entire network. It appears that the group managed to pull this off on two separate occasions.

   
Emotet Raised from the Dead

Widely regarded as one of the most dangerous botnets in recent history Emotet activity stopped in May 2019. Researchers noticed that Emotet activity started picking up again in August. In less than a month, researchers have detected a new spam email campaign been distributed by the botnet. Malicious emails have been sent from the Emotet botnet have been seen spotted targeting those residing in Germany, the United Kingdom, Poland, and Italy. Further, emails have been seen sent to US individuals, businesses, and government organizations.

By June 2019 all activity on Emotet servers had ceased. On August 22, 2019, the command and control servers starting receiving requests and acting upon those requests. Researchers noticed that those behind the botnet have been actively preparing for a new spam email campaign.

   
Business Email Compromise Scams Raked in $26 Billion

In a recent public service announcement released by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) revealed the true extent and costs associated with Business Email Compromise (BEC) scams. IC3 in the announcement reported that there had been a 100% increase in BEC scams for the period of May 2018 to June 2019. BEC scams involve the spoofing of corporate email accounts known for conducting wire transfers across the globe to suppliers in different countries. Using numerous techniques, malware variants, and social engineering the scammers fraudulently wire funds, or in some cases convince employees to wire funds, to accounts under their control. These scams have seen increased rates of success as scammers often started impersonating CEOs and other positions of power to better trick employees.

In the announcement not only is the increase in such attacks given but the number of complaints received by the department. From June 2016 IC3 received 166,349 complaints both domestically and internationally. The department estimated that such scams have resulted in an estimated dollar loss of 26 billion. Importantly the scams do not only target large corporation but small and medium-sized businesses as well. A factor to be considered in the 100% increase is the increased awareness, both in the public and corporate spheres, of the scams. This increased awareness has attributed to more victims reporting complaints and opening cases. Such scams have been reported in 177 countries, along with funds been fraudulently sent from nearly 140 countries.

   
New Cyber Espionage Malware Emerges

Researchers have discovered a new piece of malware which creates a backdoor by abusing Windows BITS service in order to hide traffic be sent and received by the operator's command and control servers. This is not the first instance of researchers discovering malware designed to abuse the BITS system with the first use case dating back to 2015, maybe even earlier. The malware appears to be used by a state-sponsored cyberespionage group named Stealth Falcon. More on the group and the links to the malware to follow.

In a report published by the Slovak security firm, ESET details of the new piece of malware are illuminated upon. Researchers have called the malware Win32/StealthFalcon, with researchers believing that this new piece of malware is stealthier than previous tools known to be employed by the cyber espionage group. As alluded to above much of the malware’s stealth ability comes down to its abuse of the BITS system. BITS or Background Intelligent Transfer Service was first introduced by Windows upon the release of Windows XP and has been included in subsequent versions of the operating system. BITS allows for the transfer of files between machines using idle network bandwidth. This system is used by Windows to send updates to users, as one example, but other apps also use it to download updates while the user is not using bandwidth.

   
14 iOS Vulnerabilities Found

Last week the InfoSec community was informed about 14 vulnerabilities found in Apple’s iOS. Further, it was stated that these vulnerabilities were actively seen being exploited in the wild since September 2016. Over seven months of research was published by Google’s Project Zero working in conjunction with Google’s Threat Analysis Group (TAG) detailing in great detail how the vulnerabilities where exploited. The attackers used the vulnerabilities in at least five exploit chains with Project Zero publishing their research on each of the five chains. The reports can be read here beginning with the first exploit chain. It goes without saying that the information in the reports is technical and won’t be covered in much depth in this article but for those technically minded the reading will be interesting.

   
Malware hiding in Textbooks and Essays

For students purchasing a new year’s worth of academic material and textbooks, the price for the books can be overwhelming. For those students, a quick search may reveal that the book they desperately need is available for free online. For a lot of students free beats paid 99% of the time, sadly, according to Kaspersky, many instances of these free textbooks are loaded with numerous strains of malware. Commonly, hackers have looked to infect those illegally downloading movies or TV series, as well as those looking to get an advantage over others by cheat codes in games. Both have long been the hunting grounds for hackers but the loading of malware on free academic material show that hackers never bind themselves to just one method when targeting users.

   
TrickBot Upgrades for SIM Swapping Attacks

To say that TrickBot trojan has become more than a constant pain for those defending networks would be an understatement. Added to the constant stream of updates and upgrades the malware authors also rent out their creation to other cybercriminal organizations. This tactic has resulted in the malware authors developing partnerships with some of the more prominent cybercriminal organizations presenting a greater threat to security researchers. Now TrickBot includes features which enable hackers to carry out SIM Swapping attacks.

SIM Swapping is an increasingly popular attack vector. The scam involves the hacker exploiting mobile service providers been able to seamlessly port an old number to a new SIM card. The hacker begins by getting their hands on personal information of the victim. This may be done with a phishing email but other methods have been used previously. The hacker will then contact the victim’s service provider and pretend to be the victim to get the number ported to the SIM they have in their possession. In a lot of cases, the hacker can now bypass SMS multi-factor authentication methods and reset passwords for a victim's bank accounts, email accounts, or cryptocurrency exchange portals. In the US over the past two years, such scams have spiked in popularity with the potential for victims to lose hundreds of thousands of dollars.

   
Enterprise Networks under Attack

Hackers are actively attacking enterprise networks by exploiting flaws made public earlier this month. The hackers taking advantage of public technical details and demo exploit code to launch attacks against enterprise targets. The hackers are exploiting flaws discovered in Webmin, a web-based utility for managing Linux and UNIX systems, and VPN products such as Pulse Secure and Fortinet's FortiGate. All three flaws are seen as incredibly serious as if successfully exploited can allow the attacker to take full control of enterprise systems. Researchers are of the opinion that these attacks are some of the worst seen this year due to the networks been targeted that are full of incredibly sensitive data.

The first of these attacks appears to have begun last week on Tuesday with hackers exploiting the flaw discovered in Webmin. The flaw, given the classification CVE-2019-15107, was seen been exploited a day after the flaw was disclosed. The flaw essentially created a backdoor, this was done a year before when other hackers managed to compromise a server belonging to a Webmin developer, where it remained hidden for more than a year before being discovered. As soon as the flaw was disclosed scans for vulnerable Webmin running servers began. Once confirmed by Webmin the flaw, rather than just be scanned for, was now been actively attacked.

   

Page 3 of 30

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Malware activity

Global virus and spyware activity level today:

Medium threat activity
Medium

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal