Internet threat news

A powerful computer worm known as Duqu 2.0 has been recently discovered in the networks of three hotels used to host the P5+1 negotiations. These negotiations included representatives from the US, UK, France, Germany, China, and Russia and were created to discuss Iranian nuclear capabilities over the last year and a half. Although the official Kaspersky report does not name the hotels in question, it is believed that this worm was deployed by a state-sponsored Israeli campaign in an attempt to gather sensitive intelligence as it relates to the nuclear talks and anything else of relevance that the worm was able to gather in the process. Although a direct link to an Israeli sponsored campaign cannot be proven at the time of this writing, it’s worth pointing out that just this past March, the US Government accused Israel of spying on the negotiations and using the intelligence gathered to persuade Congress to undermine the talks.

The venerable Zeus banking Trojan has been killed off many times; disappearing from the global Internet time and time again only to reappear with new modifications designed to improve the powerful malware’s features while avoiding modern detection software. Zeus has been used by cybercriminals around the world to orchestrate massive malware campaigns that have been responsible for millions of dollars in stolen funds over the last several years.

Ransomware was a big threat to PC users around the world in 2014 and although a few ransomware variants have made headlines this year, there could be a massive increase in the number of ransomware campaigns during the next several months thanks to a new, free tool available for anyone to download. This program, known as Tox, was created and released by a hacker who has yet to be identified. Essentially, Tox is a ransomware-as-a-service kit. While similar kits have been made available to wannabe hackers in the past, most of these kits cost money to get started. Tox, on the other hand, does not charge users for its service - at least not up front. Rather than charge an upfront fee for ransomware creation, the creator of Tox opted to offer the service for free; choosing instead to charge a 20% fee on any success ransom attempts created using Tox.

According to Microsoft, the User Account Control (UAC) security feature built into all modern Windows OS release is designed to help defend your PC against both hackers and malicious software. Whenever a program attempts to make a change to the PC, UAC notifies the user and asks for permission. When this occurs, users can allow the changes, decline the changes, or click a button that displays additional details about the program attempting to make the change and what specific changes the program is attempting to make. Unfortunately, many people simply choose ‘Yes’ without clicking the ‘Show details’ button first and this is exactly how a new proof-of-concept malware known as ShameOnUAC deceives victims. In most cases, UAC works very well. It often stops potential malware threats by not allowing installed malware to make any significant changes to the PC without the consent of the user. Of course, like most other PC security considerations, effectively using UAC means that the user must know when to allow changes via the privilege escalation prompt and when to decline these changes (i.e. when an unknown program attempts to make changes via the UAC prompt).

Over the last several months, there has been a flood of exploits targeting commonly used encryption standards. These standards, which were designed to secure server-client sessions from man-in-the-middle attacks, are used by websites around the world. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic security measures that were created to protect sensitive data transmissions across computer networks. The Heartbleed bug, which affected millions of websites using the OpenSSL protocol, was the first major cryptographic vulnerability to make headlines. Then it was POODLE. Then came FREAK. All of these vulnerabilities allowed hackers to hijack secure Web sessions – providing these hackers with the opportunity to steal sensitive personal information (often without the victim knowing anything was wrong until it was too late).

Perhaps the most dangerous banking Trojan to emerge since the takedown of the Gameover Zeus botnet last summer, the Dyre banking Trojan has been credited with millions of dollars in losses around the world. Although most modern antivirus suites detect the original version of Dyre as of this writing, hackers have been working to update the banking Trojan in an effort to squeeze additional financial gain out of this powerful malware variant. Security researchers from Seculert recently discovered a new version of Dyre in the wild that is capable of avoiding sandbox detection tools. While this may seem like a complicated programming trick, the mechanics behind this evasion technique are really quite simple. Once installed on a PC, this new version of Dyre checks to see how many processor cores the infected machine is running.

A security researcher from Web security firm Sucuri recently discovered a cross-site scripting (XSS) vulnerability present in every default installation of WordPress, a popular content management system (CMS) used by millions of websites around the world. The vulnerability, which is part of the default WordPress Twenty Fifteen theme, is a DOM-based (Document Object Model) flaw. DOM is responsible for the rendering of images, text, links, and headers within a Web browser. The vulnerability is the result of an insecure file within the 'Genericons' package that allows the DOM environment of the victim's browser to be modified by hackers.

Security researchers recently discovered a new strain of malware that uses unique – and somewhat extraordinary – measures to avoid detection and analysis. Known as Rombertik, this malware strain is unique even among other forms of self-destructing malware due to its unusual evasion techniques. Once Rombertik detects any analysis tool on the infected machine, it immediately attempts to delete the PCs Master Boot Record (MBR) and all home directories. This puts the machine in a constant reboot loop – essentially making the computer unusable. This complex piece of malware collects data about everything a user does online in an attempt to obtain login credentials and other sensitive information.

In a report issued by security firm FireEye last October, a group of hackers known as APT28 has been secretly targeting government organizations around the world in an attempt to gather as yet unknown information in a campaign with its roots in Russia. Specifically, FireEye was able to determine that APT28 has an apparent government sponsor located in Moscow. Unlike many of the China-based threats that have made recent headlines, the hackers of APT28 do not appear to be seeking financial gain from the intellectual property stolen during a breach.

Last week, this blog reported on a dangerous strain of malware, known as PoSeidon that is targeting the POS systems of small retailers including bars and restaurants. A recent report issued by security firm Trustwave indicates that yet another malware variant specifically targeting POS systems has been spotted in the wild. This malware, known as Punkey, appears to have evolved from the recently discovered “NewPOSthings” family of malware first discovered by researchers from Arbor Networks. While the discovery of Punkey is the topic of this article, it’s worth pointing out that TrendMicro recently detailed the discovery of multiple malware strains based on the NewPOSthings source code.

Researchers recently discovered a new strain of malware, known as PoSeidon, designed to steal credit and debit card information from compromised POS devices. PoSeidon has already been implicated in numerous breaches targeting numerous businesses including restaurants, bars, and hotels. Unlike previous POS-targeted attacks that focused on larger companies like Target and Home Depot, cybercriminals have decided to start focusing on smaller retailers. Targeting these smaller POS users has made it especially difficult for financial institutions to track credit card fraud and represents nothing more than the latest iteration in a constantly evolving cat-and-mouse game between cybercriminals and financial institutions around the world.

The FBI recently released a warning to all WordPress users detailing a plot by terrorist organization ISIS to exploit vulnerable sites to display pro-ISIS messages. According to the FBI report, ISIS and its many sympathizers around the world are targeting WordPress sites – especially those operated by commercial entities, news organizations, religious institutions, and all levels of government (both foreign and domestic). So far, it appears that the individuals behind these attacks are not professional hackers. In other words, these are unskilled computer users that are leveraging known WordPress plugin flaws in readily-available hacking tools.

Researchers at IBM Trusteer recently discovered a new banking Trojan which has been dubbed Tsukuba. This relatively simple, but effective example of financial malware is a part of the ‘proxy changers’ family that uses social engineering techniques to harvest victims’ online banking credentials and other personal information. In a recent blog post about Tsukuba, researchers explain that the malware operates using a three part process.

A critical vulnerability has been discovered in one of the most popular WordPress plugins in use today. This plugin, known as WordPress SEO by Yoast, reports more than 14 million downloads (according to the Yoast website) – making it one of the most widely used plugins for WordPress. This means that tens of millions of websites around the world are at risk of being attacked by hackers looking to exploit this newly discovered vulnerability.