Internet threat news

Cyber criminals exploiting the name of Coronavirus

Over the last several weeks the global health emergency surrounding the Coronavirus has overshadowed many other world events. Daily breaking news surrounding the virus’ spread too far-flung regions demand attention. Now, hackers are looking to further their own aims by abusing the medical threat posed by the virus. Currently, three separate campaigns have been discovered using the Coronavirus in an attempt to harvest user credentials or, as in one case, spread Emotet. This is by no means a new tactic, often phishers will send out spam emails related to upcoming sporting events or other world events that garner mass attention to try to get recipients to click on a link or malicious document. Exploiting a global health emergency, as declared by the World Health Organisation, is a key indicator of the moral fiber of the attackers behind these campaigns.

MageCart Gang Compromises Olympic Ticket Site and Others

Last week this publication covered the arrest of three individuals accused of being part of a MageCart gang in Indonesia. This week brings more related news regarding MageCart attacks but so far none of this group has yet to be brought in front of a court. MageCart attacks often involve the injection of malicious JavaScript code into a trusted website's eCommerce checkout page. The malicious code then skims the card details entered by the customer resulting in the theft of consumer data. MageCart groups either gain access to the website directly or via third-party tools, such as analytics applications, to inject the malicious code.

Initially, a MageCart gang targeted an Olympic ticket reseller olympictickets2020[.]com by carrying out a MageCart-like attack on the website. Security researchers Jacob Pimental and Max Kersten discovered the attack, subsequently notified the company selling the tickets, and then later published their findings in late January 2020. The two researchers discovered that the group managed to append malicious code to the end of a legitimate JavaScript library, along with extra obfuscated code to help hide the group’s intentions. Once the researchers had managed to clear all the junk code away it was discovered that the malicious code would send the skimmed card details to opendoorcdn[.]com. Before any of this information was released to the public the researchers attempted to notify the ticket reseller via Twitter and email, as well as the chat feature included on the website in question. The pair did not receive much in the way of correspondence, however, it was noticed that the malicious code had been removed from the website on January 21, 2019.

Wawa Card Breach Totals Over 30 Million

For most of the Western World, December is associated with a myriad of holidays, for many hackers, it is open season. Consumers are warned to be careful when shopping online and companies are warned that they will be targets of what to some is a holiday period. When Wawa announced on December 19, 2020, that the retail giant based namely on the East Coast of the US suffered a data breach much of the InfoSec community was prepared for the news, even if they had no idea who would be the next victim.

At the time the company believed the breach was a result of being infected with point of sale POS malware. This specific type of malware is designed to steal credit and debit card details from point of sale devices commonly used in retail shops to process card payments. The threat posed by such malware led Visa to warn fuel stations throughout North America that there pumps and the devices attached are being targeted by cybercriminal organizations. POS malware is unique in how it manages to steal card data when compared to banking trojans. Payment devices encrypt the data of the card before sending it to the required bank network for approval. The encryption occurs in the device's random access memory (RAM), this allows the malware to scrap the hardware for the card details which are later stolen before they are encrypted. The details are then sent to command and control servers under the control of hackers.

First Ever Arrests Associated with MageCart Attacks

In the fourth quarter of 2019, a spike in MageCart attacks was seen. The most infamous of which involved British Airways which involved nearly 400,000 individuals becoming victims through only a piece of code 22 lines long. Then in November, that same year details emerged detailing how Macy’s also fell victim to such an attack. The attack occurred between October 7 and October 15 when hackers had injected malicious code into the company’s online checkout web page. Now, Indonesian police have arrested three individuals accused of being part of a MageCart gang and carrying out similar attacks.

MageCart attacks involve hackers specifically targeting shopping cart applications found on eCommerce websites. The hacker uses malicious code to skim the card details entered by the customer, the process of skimming the card details has resulted in this type of attack been referred to as Web Skimming or eSkimming. The skimming of the card details amounts to theft and the hacker can now use those details for any number of purposes, popular uses been selling them on the Darknet. In order to inject the malicious code into the cart application, the hacker can either directly compromise the target eCommerce website, or target third party applications. This targeting of third party applications can be classified as a supply chain attack and often involves targeting analytics software, for example, in order to gain a foothold on the targets webpage.

Ransomware Costs Double on the Backs of Sodinokibi and Ryuk

Ransomware continues to be a major bane facing enterprises and government organizations, with the latest high profile victim being Travelex. The currency exchange suffered a Sodinokibi attack, which left some of the company’s online services offline for three weeks. Another new worry for those tasked with securing networks is that ransomware operators are now not only encrypting data but stealing it and threatening, in some cases actually, releasing the data to the public. Researchers spend time analyzing the code behind the malware but what of the costs associated with an infection? Often for CEOs, CFOs, and stakeholders this is often the most important factor when looking to come through such an infection relatively intact.

Ubisoft sues Rainbow Six Siege DDoS Operators

Online gaming has long been a target for hackers, whether to cheat or to deny other gamers the service they have in many cases paid for. In denying other players the online service hackers will often employ distributed denial of service (DDoS) attacks. Not only do such attacks prevent other players from playing or using attached services or web stores, but they impact negatively on the company’s earnings. Hackers have already figured out that they could hire out their services to other malicious gamers and reap a profit. In a process that started in September 2018, Ubisoft has adopted a new tactic to try and prevent future attacks from happening. This tactic involves the courts to sue operators advertising their DDoS skills to whoever is willing to pay.

Proof-Of-Concept Code for Curveball Released

It seems like the start of the year is not complete without a new and dangerous vulnerability been disclosed to the public. Last year it was the Spectre and Meltdown CPU vulnerabilities. This year the new threat is posed by CVE-2020-0601, better known as Curveball. The vulnerability is described as a spoofing vulnerability that exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. According to Windows, this vulnerability could allow an attacker to,

Ransomware Operators Releasing Data of those not paying the Ransom

Sodinokibi and a handful of other ransomware variants are currently dominating discussions regarding ransomware. Continual updates; changes in tactics and infection vectors; and improved targeting tactics placing corporations and government organizations within their crosshairs, have all made Sodinokibi a nightmare to deal with if infected. Now another change in tactics adds to the threat posed by the ransomware variant. The change of tactics does not involve a new advanced code module or infection vector, rather the release of data stolen if the victim does not pay the ransom in time.

In December 2019, representatives of the Sodinokibi ransomware threatened to take such steps on an underground Russian hacker forum. The post was shared with the community by security researcher Damian who discovered UNKN, the public-facing representation of the ransomware, had posted the threat. Such a tactic has been seen before with Maze, another ransomware variant, published 700 MB of data stolen from Allied Universal. At the time this was believed to be only 10% of the data stolen by hackers while simultaneously conducting ransomware operations. The data was released in response to payment not being made by the victim. Sodinokibi now has followed suit.

Iranian Data Wiper Strikes at Bahrain’s National Oil Company

With tensions near the boiling point between Iran and the US, news feeds across the globe have been dominated by headlines. The InfoSec community was also stirring with opinion pieces relating to Iran capabilities in carrying out cyberattacks. However, Iranian state-sponsored hackers are now in the headlines for an incident that occurred on December 29, 2019. It is believed the above-mentioned hackers infected Bapco, Bahrain's national oil company, with a new data wiper.

Wipers, also known as data wipers, are specific pieces of malware specifically designed to destroy data. In the past state-sponsored groups have used wipers in an attempt to remove all trace they had compromised a network. According to a security alert issued by Saudi Arabia's National Cybersecurity Authority and linked by ZDNet the attack was not as successful as intended as only a section of Bapco’s network and connected work stations were affected. The alert was sent to local businesses within the energy sector to warn them of potential intrusion and infection. Given the release of the alert happening over the weekend and the date of the incident, it is important to note that this incident is not directly related to current Iranian and American tensions.

RDP Brute-Force Attacks Last between 2 and 3 Days

In a recent blog article published by the Microsoft Defender, ATP Research Team reveals some interesting numbers regarding RDP brute-force attacks. The key findings of the research team include that brute-force attacks on RDP ports last an average of two to three days and only approximately 0.08% of these attacks are successful. The sample size for the research was 45,000 PCs over a period of months which lends to the study's credibility.

Remote Desktop Protocol (RDP) is a feature of the Windows operating system that allows users to log into a remote computer using a desktop-like interface via the computer's public IP address and port 3389. Typically used in enterprise environments it allows system and network administrators to manage servers and workstations remotely. Likewise, RDP is used by employees while away from their desks to perform work tasks. While proving a handy administrative tool, hackers soon learned that if they could scan for Internet-facing RDP ports that are not properly secured and gain access to targeted machines. Once access is gained hackers can drop any number of malware strains they want to.

US Coast Guard announces it suffered a Ryuk Infection

The US Coast Guard announced that it had suffered a ransomware infection which resulted in the shutdown of a maritime facility for more than 30 hours. The security bulletin, published just before Christmas, also stated that the ransomware was Ryuk. The bulletin, however, makes no mention of the name or the location of the port authority, it merely described the incident as recent. The US Coast Guard noted that the security bulletin intended to inform other maritime authorities of the incident to act as a warning and hopefully prevent future attacks.

While the bulletin did not specify which port or maritime authority was impacted by the attack, it did state that they believe hackers gained access to the network via a phishing email sent to one of the authority’s employees. The agency further elaborated that,

RuNet Disconnection Tests Successful According to Moscow

On December 23, Russian news agencies began reporting that the government had concluded a series of tests designed to disconnect Russia from the Internet. The tests involved Russian government agencies, local internet service providers, and local Russian internet companies with the main aim of the tests to see whether the country's national internet infrastructure, called RuNet, could function without access to the global DNS system and global Internet infrastructure. The Russian government concluded that the test was a success as Internet traffic was routed internally, effectively creating a massive intranet.

At the time of writing the public will have to take the government’s word for it as no technical data has been released to the public. Government officials stated that several disconnection scenarios were tested, including a hostile cyber-attack scenario from a theoretical foreign power. Alexei Sokolov, deputy head of the Ministry of Digital Development, Communications and Mass Media, further stated that the results of the successful test would be presented to President Vladimir Putin next year. Sokolov further summarised the success of the test as,

Chinese APT Group Seen Bypassing 2FA

In a recent report security researchers have found evidence showing that a Chinese state-sponsored hacking group, APT20, has been able to bypass two-factor authentication (2FA) in a recent campaign. Advanced persistent threat (APT) groups are typically defined as groups, more often than not state-sponsored, who gain access to a specific network and are able to operate for long periods of time before discovery. APT20, or Wocao, is such a group and appeared until very recently to have gone on a hiatus with not much known of their operations for periods spanning 2016 and 2017.

In the report published by Fox-IT, it was shown that the group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks. As mentioned above, security researchers seemed to lose track of APT20 activity during the period from 2016 to 2017. I’m sure some hoped they were gone for good but given the current research, the group changed its tactics fairly considerably. Based on this new information it would seem the group has been active over the last two years.

Legion Loader Drops a Hornet’s Nest of Malware

What could be worse than being infected by one piece of malware? The answer is painfully obvious, in that more than one infection is worse. What started as a lame joke may be a reality for organizations infected with Legion Loader. In a recent campaign discovered by researchers, a threat actor is attempting to infect as many machines as possible with a loader capable of dropping multiple malware strains.

Discovered by researchers at Deep Instinct who subsequently published their findings in an article, details how what various strains are dropped during the attack. Due to the number of malware strains dropped the researchers have dubbed this campaign “Hornet’s Nest.” It is not yet known how victims are infected with the initial Legion Loader but the attack is being offered as a cybercrime-as-a-service operation. Despite not knowing the initial attack and infection vectors, Legion Loader is written in C++ and still appears to be under development. Clues in the code also suggest that the loader is developed by a Russian speaker and based on the current attack pattern the operators are targeting organizations in the US and Europe.


Page 4 of 34

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal