Internet threat news
It has been a busy couple of days for reports coming from security firm FireEye. Last week this publication covered the use of the FiveHands ransomware strain by a financially motivated group tracked as UNC2447. This week a new report published by the firm details an attack campaign carried out by yet another financially motivated group tracked as UNC2529. The attack campaign was discovered by researchers in December 2020 and is notable for several reasons but namely that three new malware strains were observed being used in the campaign.
The attack campaign began with a concerted email phishing campaign. FireEye researchers saw that 28 organizations were sent phishing emails. It is safe to assume that more than 28 organizations were targeted, as the 28 seen to be targeted would only likely be organizations where FireEye has a presence on their infrastructure. Emails were sent from 26 unique addresses linked to a single domain, tigertigerbeads[.]com with the emails containing inline links to malicious URLs such as hxxp://totallyhealth-wealth[.]com/downld-id_mw<redacted>Gdczs, engineered to entice the victim to download a file containing a malicious payload. While the emails were sent from one domain the links were tracked to at least 24 different domains.
A financially motivated threat actor has been seen exploiting a zero-day bug in SonicWall SMA 100 Series VPN appliances. This is done to gain initial access to enterprise networks so that the threat actors can deploy a newly discovered ransomware strain, known as FiveHands. So far victims include organizations located in Europe and North America. The ransomware itself has several similarities to both the HelloKitty and the DeathRansom ransomware strains. Researchers believe that FiveHands is best described as a novel rewrite of DeathRansom. That being said it does have several differences, more on both the similarities and the differences to come below.
For those still clinging to the myth that Macs are inherently secure, 2021 is proving a difficult year to back up that argument. The advent of Silver Sparrow which raced to infect over 30,000 Macs and malware that targets Macs hiding in NPM packages are just two of several instances where Macs have been found to susceptible to attack. Now the threat operators behind the Shlayer malware have been seen exploiting a previously unknown zero-day. The good news is Apple has now released a patch for it, so it is strongly advised that Mac users download the latest patch if they have not done so already.
In summary, the malware’s creators found a way to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads. This is not the first time Shlayer has tricked Apple. Previously the malware was seen subverting the notarization process instituted with MacOS Catalina. This time, Shlayer subverts Gatekeeper to run malicious applications and harvest sensitive information.
Built to replace Secure Sockets Layer (SSL), Transport Layer Security (TLS) is a series of cryptographic protocols designed to secure communications across networks. The protocol is used in email, instant messaging, and voice-over IP applications. That being said the protocol's security layer in HTTPS remains one of the protocol's primary uses. It is this use as a security layer to keep communications hidden from the view of security researchers that threat actors have latched onto. According to a recent report published by Sophos Labs in 2020, 23% of malware detected was seen abusing the TLS protocol, by the first quarter of 2021 this had skyrocketed to 46%.
Researchers determined that the large growth in TLS abuse can be linked to threat actors increasingly turning to legitimate web and cloud services protected by TLS to further attack campaigns. Services like Discord, Pastebin, GitHub, and Google’s cloud services are increasingly being used as repositories for malware. Acting as a repository for malware or specific components is not the only use malware authors have found for the above-mentioned services. Researchers have seen services being used as storage for stolen data and to send commands to botnets and other malware. Further, the increase in TLS abuse has also partly been attributed to threat actors encapsulating communications behind Tor and TLS network proxies to hide them.
In a recent report published by Advanced Intel, a threat intelligence firm, those behind recent Ryuk attacks have changed tactics. The change in tactics is used to gain initial access to targeted networks and according to Advanced Intel’s researchers, the new tactic involves exploiting hosts with public Internet-facing RDP (remote desktop protocol) connections. Using targeted phishing emails to deliver malware continues to be the favored initial attack vector, but researchers noted that the start of 2021 saw an increase in instances where operators looked to compromise RDP connections to gain initial access.
To be granted access to Internet-facing RDP connections threat actors will use brute-force attacks, using a weak password and username combinations or credentials that have been leaked. Once initial access is granted to a network, threat actors will begin the reconnaissance stage of the operation. Researchers have noticed distinct phases once this step of the operation is begun. The first stage is defined by the attackers looking for valuable resources on the now compromised network.
While headlines regarding Iran’s nuclear program and possible Israeli malware been used to cause failures at nuclear plants is this week's big cybersecurity news, other developments deserve attention. One such development is the discovery of a new piece of malware that targets Node.JS developers using Mac and Linux machines. The malware was found in a malicious package on the NPM registry, used by developers to supplement their code with existing tools to make their life easier.
The malware was found in a package labeled “web-browserify,” which is intended to imitate the popular Browserify package that has been downloaded over 160 million times. It can be assumed that the attacker by naming their malicious package “web-browserify” is hoping to trick developers into downloading the malicious package. The malware is built by combining hundreds of legitimate open-source components and performs extensive reconnaissance activities on an infected system. As of April 13, 2021, the malware was being detected by none of the malware engines tracked on Virus Total. Writing for Bleeping Computer, Ax Sharma, who works for Sonatype security, along with a team of researchers, discovered the malware.
The recent Exchange Server vulnerability and news that the flaws were being used to spread ransomware dominated many InfoSec headlines. However, Kaspersky’s recent discovery of the Cring ransomware strain using an old VPN vulnerability as the initial attack vector reminds us that ransomware operators can always dig into the old bag of tricks to pull off a successful attack.
On January 26, 2021, Swisscom CSIRT tweeted,
Since April 3, 2021, several reports emerged of a trove of data belonging to Facebook users that had been leaked online for free. The data included namely mobile phone numbers but also includes names, emails, gender information, occupations, as well as several location identifiers. The stolen data first emerged on the forum in July 2020, when one member began selling the information to other members of the underground hacking forum.
The sale of data on such forums is standard practice for those stealing sensitive data from other organizations. However, this instance was notable as a lot of the information could be scraped from the public-facing user-profiles and the mobile numbers associated with accounts were private. That means they should not have been accessible in the same manner information on the public profiles is. In total the sold data included 533,313,128 Facebook users. Researchers discovered that the large majority of the stolen data sets included a private mobile number as well as a Facebook ID, a name, and the member's gender.
2020 was seen by many as a bumper year for DDoS attacks. The survey was conducted by the Neustar International Security Council (NISC) and showed that the majority of those surveyed, 22%, believed the biggest threat they faced was a DDoS attack. Further, the number of respondents that acknowledged that they had suffered such an attack went up from 60% in 2019 to 74% in 2020. 2021 promises to be no different and highly likely worse with the advent of Ransom Distributed Denial of Services attacks exceeding 800 Gbps.
Distributed Denial of Service, or DDoS, attacks are attempts to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This is done by using botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device. Hackers will connect thousands of infected devices to send requests to the target server to the point where the server cannot handle the traffic.
Schools and Universities continue to be a favored target of ransomware operators. Previously, this publication covered how the US Federal Bureau of Investigation issued an alert warning the education sector that the operators of the Pysa ransomware, a variant of the Mespinoza, was actively being used in campaigns against schools and universities. Over the past weekend, another schooling organization was hit by a ransomware attack. This time across the Atlantic.
Reports began emerging that the Harris Federation, which runs some 50 schools in London and Essex in the United Kingdom, had to temporarily disable their email system, leaving nearly 40,000 students without the service during a time when many students are remotely attending certain classes given the current pandemic.
Initially discovered in 2018, Purple Fox, a trojan spread by phishing emails and RIG exploits has been seen in several active campaigns since its discovery. Now the malware has added another distribution method to its tool kit. The malware is now capable of being spread via what researchers call a worm-like capability, better described as “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.”
The new distribution method was discovered by researchers at Guardicore Labs, who announced the discovery recently via a report. The report is technical in nature but makes for interesting reading for those following Purple Fox’s development since its discovery. The discovery was made when Guardicore Global Sensors Network (GGSN) telemetry began picking up increased Purple Fox activity in mid-2020. Activity trailed off in November that same year till January 2021, followed by another surge in inactivity. Researchers determined activity has increased 600% with the total number of attacks being estimated at 90,000.
Security researchers have discovered a new piece of malware capable of compromising systems running macOS. In particular, the malware targets developers who make use of the Xcode projects integrated developer environment (IDE). Typically, developers developing apps for macOS or iOS make use of Xcode to better make use of features unique to those two platforms both developed and maintained by Apple. The malware was discovered by researchers working at Sentinel Labs, with details of the malware being published by the security firm recently.
The malware, named XcodeSpy, abuses the RunScript functionality found within Xcode. The malware is currently being distributed via an open-source Xcode project available on Github. The attackers are looking to take advantage of a community of developers who share tools and applications to better assist other developers. The malicious developer tool discovered by researchers is a ripped and modified version of TabBarInjection, which is a legitimate project that assists developers in creating interactive tab and navigation bars. It is important to note that the legitimate TabBarInjection has not been compromised.
Researchers at Proofpoint have published a report detailing a newly discovered piece of malware that attempts to steal account information about popular service providers, including Google, Facebook, Amazon, and Apple. Not only does the malware can steal account passwords and cookies but can also drop other malware onto the infected device. Called CopperStealer, the malware is being used by threat actors to push other strains of malware through malvertising campaigns.
The malware was discovered on 29 January 2021, when a Twitter user, TheAnalyst shared a malware sample with Proofpoint that triggered their malware detection systems. Following an investigation, the malware was discovered to have password and cookie stealing capabilities along with a downloader that could be used to drop other malware strains onto infected devices. The investigation also uncovered malware samples dating back to July 2019, possibly indicating that the malware has been in development for some time. According to researchers, one sample analyzed showed that the malware targeted Facebook and Instagram advertisers. However, previous samples showed versions capable of targeting users of other major service providers including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter.
The US Federal Bureau of Investigation’s Cyber Division published an alert on March 16, 2021, warning readers that those behind the Pysa ransomware were actively targeting institution in the education sector. Institutions targeted include higher education, K-12 schools, and seminaries in 12 US states and the United Kingdom. The warning further stated, “Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors,”
Activity dating back to March 2020, is in line with known campaigns involving the ransomware strain. In the same month, this publication covered similar warnings issued by France’s Computer Emergency Response Team (CERT). In this instance, the warnings centered around French government departments been targeted by threat actors. Pysa named so because of the extension .PYSA added to the end of encrypted files, is seen by security researchers as a variant of Mespinoza ransomware and was first spotted in late 2019. The discovery came as several companies began reporting that they had suffered a ransomware incident from a yet unknown strain.
Page 4 of 43<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>