Internet threat news
Over the last several weeks the global health emergency surrounding the Coronavirus has overshadowed many other world events. Daily breaking news surrounding the virus’ spread too far-flung regions demand attention. Now, hackers are looking to further their own aims by abusing the medical threat posed by the virus. Currently, three separate campaigns have been discovered using the Coronavirus in an attempt to harvest user credentials or, as in one case, spread Emotet. This is by no means a new tactic, often phishers will send out spam emails related to upcoming sporting events or other world events that garner mass attention to try to get recipients to click on a link or malicious document. Exploiting a global health emergency, as declared by the World Health Organisation, is a key indicator of the moral fiber of the attackers behind these campaigns.
For most of the Western World, December is associated with a myriad of holidays, for many hackers, it is open season. Consumers are warned to be careful when shopping online and companies are warned that they will be targets of what to some is a holiday period. When Wawa announced on December 19, 2020, that the retail giant based namely on the East Coast of the US suffered a data breach much of the InfoSec community was prepared for the news, even if they had no idea who would be the next victim.
At the time the company believed the breach was a result of being infected with point of sale POS malware. This specific type of malware is designed to steal credit and debit card details from point of sale devices commonly used in retail shops to process card payments. The threat posed by such malware led Visa to warn fuel stations throughout North America that there pumps and the devices attached are being targeted by cybercriminal organizations. POS malware is unique in how it manages to steal card data when compared to banking trojans. Payment devices encrypt the data of the card before sending it to the required bank network for approval. The encryption occurs in the device's random access memory (RAM), this allows the malware to scrap the hardware for the card details which are later stolen before they are encrypted. The details are then sent to command and control servers under the control of hackers.
In the fourth quarter of 2019, a spike in MageCart attacks was seen. The most infamous of which involved British Airways which involved nearly 400,000 individuals becoming victims through only a piece of code 22 lines long. Then in November, that same year details emerged detailing how Macy’s also fell victim to such an attack. The attack occurred between October 7 and October 15 when hackers had injected malicious code into the company’s online checkout web page. Now, Indonesian police have arrested three individuals accused of being part of a MageCart gang and carrying out similar attacks.
MageCart attacks involve hackers specifically targeting shopping cart applications found on eCommerce websites. The hacker uses malicious code to skim the card details entered by the customer, the process of skimming the card details has resulted in this type of attack been referred to as Web Skimming or eSkimming. The skimming of the card details amounts to theft and the hacker can now use those details for any number of purposes, popular uses been selling them on the Darknet. In order to inject the malicious code into the cart application, the hacker can either directly compromise the target eCommerce website, or target third party applications. This targeting of third party applications can be classified as a supply chain attack and often involves targeting analytics software, for example, in order to gain a foothold on the targets webpage.
Ransomware continues to be a major bane facing enterprises and government organizations, with the latest high profile victim being Travelex. The currency exchange suffered a Sodinokibi attack, which left some of the company’s online services offline for three weeks. Another new worry for those tasked with securing networks is that ransomware operators are now not only encrypting data but stealing it and threatening, in some cases actually, releasing the data to the public. Researchers spend time analyzing the code behind the malware but what of the costs associated with an infection? Often for CEOs, CFOs, and stakeholders this is often the most important factor when looking to come through such an infection relatively intact.
Online gaming has long been a target for hackers, whether to cheat or to deny other gamers the service they have in many cases paid for. In denying other players the online service hackers will often employ distributed denial of service (DDoS) attacks. Not only do such attacks prevent other players from playing or using attached services or web stores, but they impact negatively on the company’s earnings. Hackers have already figured out that they could hire out their services to other malicious gamers and reap a profit. In a process that started in September 2018, Ubisoft has adopted a new tactic to try and prevent future attacks from happening. This tactic involves the courts to sue operators advertising their DDoS skills to whoever is willing to pay.
It seems like the start of the year is not complete without a new and dangerous vulnerability been disclosed to the public. Last year it was the Spectre and Meltdown CPU vulnerabilities. This year the new threat is posed by CVE-2020-0601, better known as Curveball. The vulnerability is described as a spoofing vulnerability that exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. According to Windows, this vulnerability could allow an attacker to,
Sodinokibi and a handful of other ransomware variants are currently dominating discussions regarding ransomware. Continual updates; changes in tactics and infection vectors; and improved targeting tactics placing corporations and government organizations within their crosshairs, have all made Sodinokibi a nightmare to deal with if infected. Now another change in tactics adds to the threat posed by the ransomware variant. The change of tactics does not involve a new advanced code module or infection vector, rather the release of data stolen if the victim does not pay the ransom in time.
In December 2019, representatives of the Sodinokibi ransomware threatened to take such steps on an underground Russian hacker forum. The post was shared with the community by security researcher Damian who discovered UNKN, the public-facing representation of the ransomware, had posted the threat. Such a tactic has been seen before with Maze, another ransomware variant, published 700 MB of data stolen from Allied Universal. At the time this was believed to be only 10% of the data stolen by hackers while simultaneously conducting ransomware operations. The data was released in response to payment not being made by the victim. Sodinokibi now has followed suit.
With tensions near the boiling point between Iran and the US, news feeds across the globe have been dominated by headlines. The InfoSec community was also stirring with opinion pieces relating to Iran capabilities in carrying out cyberattacks. However, Iranian state-sponsored hackers are now in the headlines for an incident that occurred on December 29, 2019. It is believed the above-mentioned hackers infected Bapco, Bahrain's national oil company, with a new data wiper.
Wipers, also known as data wipers, are specific pieces of malware specifically designed to destroy data. In the past state-sponsored groups have used wipers in an attempt to remove all trace they had compromised a network. According to a security alert issued by Saudi Arabia's National Cybersecurity Authority and linked by ZDNet the attack was not as successful as intended as only a section of Bapco’s network and connected work stations were affected. The alert was sent to local businesses within the energy sector to warn them of potential intrusion and infection. Given the release of the alert happening over the weekend and the date of the incident, it is important to note that this incident is not directly related to current Iranian and American tensions.
In a recent blog article published by the Microsoft Defender, ATP Research Team reveals some interesting numbers regarding RDP brute-force attacks. The key findings of the research team include that brute-force attacks on RDP ports last an average of two to three days and only approximately 0.08% of these attacks are successful. The sample size for the research was 45,000 PCs over a period of months which lends to the study's credibility.
Remote Desktop Protocol (RDP) is a feature of the Windows operating system that allows users to log into a remote computer using a desktop-like interface via the computer's public IP address and port 3389. Typically used in enterprise environments it allows system and network administrators to manage servers and workstations remotely. Likewise, RDP is used by employees while away from their desks to perform work tasks. While proving a handy administrative tool, hackers soon learned that if they could scan for Internet-facing RDP ports that are not properly secured and gain access to targeted machines. Once access is gained hackers can drop any number of malware strains they want to.
The US Coast Guard announced that it had suffered a ransomware infection which resulted in the shutdown of a maritime facility for more than 30 hours. The security bulletin, published just before Christmas, also stated that the ransomware was Ryuk. The bulletin, however, makes no mention of the name or the location of the port authority, it merely described the incident as recent. The US Coast Guard noted that the security bulletin intended to inform other maritime authorities of the incident to act as a warning and hopefully prevent future attacks.
While the bulletin did not specify which port or maritime authority was impacted by the attack, it did state that they believe hackers gained access to the network via a phishing email sent to one of the authority’s employees. The agency further elaborated that,
On December 23, Russian news agencies began reporting that the government had concluded a series of tests designed to disconnect Russia from the Internet. The tests involved Russian government agencies, local internet service providers, and local Russian internet companies with the main aim of the tests to see whether the country's national internet infrastructure, called RuNet, could function without access to the global DNS system and global Internet infrastructure. The Russian government concluded that the test was a success as Internet traffic was routed internally, effectively creating a massive intranet.
At the time of writing the public will have to take the government’s word for it as no technical data has been released to the public. Government officials stated that several disconnection scenarios were tested, including a hostile cyber-attack scenario from a theoretical foreign power. Alexei Sokolov, deputy head of the Ministry of Digital Development, Communications and Mass Media, further stated that the results of the successful test would be presented to President Vladimir Putin next year. Sokolov further summarised the success of the test as,
In a recent report security researchers have found evidence showing that a Chinese state-sponsored hacking group, APT20, has been able to bypass two-factor authentication (2FA) in a recent campaign. Advanced persistent threat (APT) groups are typically defined as groups, more often than not state-sponsored, who gain access to a specific network and are able to operate for long periods of time before discovery. APT20, or Wocao, is such a group and appeared until very recently to have gone on a hiatus with not much known of their operations for periods spanning 2016 and 2017.
In the report published by Fox-IT, it was shown that the group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks. As mentioned above, security researchers seemed to lose track of APT20 activity during the period from 2016 to 2017. I’m sure some hoped they were gone for good but given the current research, the group changed its tactics fairly considerably. Based on this new information it would seem the group has been active over the last two years.
What could be worse than being infected by one piece of malware? The answer is painfully obvious, in that more than one infection is worse. What started as a lame joke may be a reality for organizations infected with Legion Loader. In a recent campaign discovered by researchers, a threat actor is attempting to infect as many machines as possible with a loader capable of dropping multiple malware strains.
Discovered by researchers at Deep Instinct who subsequently published their findings in an article, details how what various strains are dropped during the attack. Due to the number of malware strains dropped the researchers have dubbed this campaign “Hornet’s Nest.” It is not yet known how victims are infected with the initial Legion Loader but the attack is being offered as a cybercrime-as-a-service operation. Despite not knowing the initial attack and infection vectors, Legion Loader is written in C++ and still appears to be under development. Clues in the code also suggest that the loader is developed by a Russian speaker and based on the current attack pattern the operators are targeting organizations in the US and Europe.
Page 4 of 34<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>