Internet threat news

For Cosmos Bank, a bank that has been in business for 112 years, August will go down as one of the bank’s worst months. On August 14, 2018, the Hindustan Times reported that the bank suffered a two-stage attack where malware was used on the bank's ATM server to steal the credit card information of customers, alongside SWIFT codes required for transactions. It was estimated that during the first wave roughly 11.5 million USD in transactions from multiple countries was stolen. In the second wave, on the same day, close to 2 million USD was withdrawn through debit card transactions across India. Later when those funds were traced it was discovered that they were transferred to Hong Kong via fraudulent SWIFT transactions.

Cosmos Bank chairman Milind Kale said the cyber attack was a global effort as cyberattackers operated from "22 nations." The bank pointed the finger at Canada as the place of origin for many of the fraudulent transactions. A further article published by the Hindustan Times said that the hackers failed in their first attempt to compromise the bank's systems. Despite the first failed attempt worryingly no alert was issued to put the bank on guard against any further suspicious activity. The bank has since confirmed that no funds had been debited from its customers’ accounts.

The North Korean linked Lazarus group has been on both government and security firms advanced persistent threat (APT) watch lists for a while now. Sometimes referred to as Hidden Cobra, particularly by the US Computer Emergency Readiness Team (US-CERT), the group has conducted many cyber espionage campaigns as well as targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies. Much of the groups work targeted Windows systems and machines. However, the group is now targeting MacOS.

Lazarus Group is perhaps most well-known for the Sony Pictures hack which occurred in October 2014. The group managed to gain access to the media giant’s network and stole massive amounts of confidential data and then leaked them online. The hack was seen as retaliation to the movie The Interview starring James Franco which was seen by Lazarus group as derogatory to North Korea. The group also issued vague threats to theatres who intended to show the film. Sony canceled the release of the movie as a result of the hack and subsequent threats.

For several years now the Chinese government has been attempting to create a set of standards and norms governing cybersecurity. In the wake of increased trade tensions between the US and China, there is a growing fear among security researchers and investors that these standards may be used to deter or sabotage the efforts of foreign tech firms trying to enter the Chinese market. The set of standards is often simply referred to as the “national cybersecurity standards”. These standards are issued by the Chinese National Information Security Standardization Technical Committee (TC260), a government agency that has issued roughly 300 standards since 2015.

Generally, these standards are seen as recommendations made by the government. They are intended to govern the design and operation of various products, such as routers, firewalls, or even software applications. Some of these standards describe methods of providing the Chinese government with access to sensitive data belonging to Chinese citizens. It further specifies how that data is handled by a particular type of service or piece of hardware. Other stipulations provide a list of acceptable encryption algorithms. Others specify how a product's cross-border data transfer and behavior are to be handled and monitored. According to the Chinese government, these standards are all only "recommended" as mere guidelines for product and service designs and bare no official status for the sale of products on the Chinese market. However, the Center for Strategic and International Studies (CSIS), a Washington-based think tank, in practice, many of these "recommended" standards may actually be required to do business in China without explicitly saying so.

The start of the year seemed to open with a bang on the cybersecurity news front. The Spectre and Meltdown vulnerabilities made headlines with fears that they could be as bad, if not worse, than the previous Heartbleed vulnerability that made its mark on CPUs previously. Since then every now and then news trickles in of a researcher having been able to exploit those vulnerabilities in slightly new ways. On August 14, 2018, news broke that researchers had discovered another vulnerability affecting Intel processors. The researchers who discovered the vulnerability have called it Foreshadow and have set up a website where users can gain more information including the paper they published.

Currently, two research teams independently discovered the Foreshadow vulnerability and the L1 Terminal Fault vulnerability. A team from KU Leuven, a university in Belgium, informed Intel of its findings on January 3, the day when the now infamous Spectre and Meltdown vulnerabilities were disclosed to the public. The second team, comprising researchers from Israel-based Technion, University of Michigan, the University of Adelaide in Australia, and Australia-based CSIRO's Data61, reported its findings to Intel on January 23.

Security researcher Ruben Santamarta published a research paper detailing that that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems. The latest research paper follows a paper published in 2014 by Santamarta in which the researcher described theoretical attack scenarios on satellite communications. Santamarta continued his research in November 2017 when he managed to passively collect from an airplane’s Wi-Fi network while on a trip. Santamarta noticed that several commonly used services, such as Telnet, HTTP, and FTP, were available for certain IP addresses. More worrying, some interfaces associated with the plane’s onboard satellite communications (satcom) modems were accessible without any authentication.

Recently many security firms have detailed the rise of cryptojacking as a favored method of hackers for increasing their payroll. What was noticed was the detections of ransomware had declined massively while cryptojacking detections had skyrocketed exponentially. This led some to believe that ransomware was slowing dying. Recent events prove this not to be the case or in the very least hackers using ransomware variants did not get the memo their favored malware variant is dead.

Over the weekend news began surfacing that TSMC, the company responsible for the processors in many of Apple’s mobile devices, suffered a WannaCry attack. Last year the City of Atlanta was devastated by a ransomware attack which cost the city 2.6 million USD to recover from. Yesterday Golf Week published an article stating that the PGA had suffered an attack by hackers which resulted in officials been locked out of crucial files related to this week’s PGA Championship at Bellerive Country Club and the upcoming Ryder Cup in France.

News began surfacing on August 6, that TSMC, or to give the company its unabbreviated name Taiwan Semiconductor Manufacturing Company, suffered a malware incident over the previous weekend. It was revealed that the chip manufacturer suffered a WannaCry attack which resulted in plant closures, all of which had an impact on production. TSMC is the company responsible for manufacturing a very large percentage of Apple’s processing units, most been used in mobile devices like the iPhone. It is also further widely believed that the company is producing the technology behind the A12 core processor chips in the new iPhone scheduled for release later this year.

Currently been exploited in mainly Brazil is a massive cryptojacking campaign infecting MikroTik routers. Central to the campaign is the hacker’s use of the now infamous Coinhive in-browser cryptocurrency miner. Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Hackers do this by either getting the victim to click on a malicious link in an email that loads crypto mining code on the computer or in this case a router. The crypto mining code then works in the background as unsuspecting victims use their computers normally. The only sign they might notice is slower performance or lags in execution that may not have been experienced previously.

On July 20, Singapore officials announced that hackers managed to steal the health records of 1.5 million Singaporeans including Prime Minister Lee Hsien Loong. Since authorities revealed the breach there have been a number of developments into who may have been behind the attack and how the attack was perpetrated. The article which follows summarises these developments in an attempt to make sense of the entire affair. AFP initially reported that the initial analysis was done by Singapore's Cyber Security Agency “indicates this is a deliberate, targeted, and well-planned cyber-attack and not the work of casual hackers or criminal gangs,” No one was directly attributed to the attack and officials declined to comment on whom they believed to be responsible. “Operational security,” was the reason given for the no comment approach. Officials did, however, confirm that the prime minister's data has not shown up anywhere on the internet.

While malware targeting Mac users is far from common when compared to other platforms, Mac users should be aware that they are not immune to malware infections. Security researchers at Kaspersky last week detected a new variant of the Mac malware Proton, which they have called Calisto. According to those researchers, the malware was uploaded to VirusTotal way back in 2016. This is most likely the same year it was created.  For two years Calisto remained off the radar of antivirus solutions, until May of this year with the first detections appearing on VirusTotal. Researchers of the opinion that Calisto may be a precursor to Proton which made InfoSec headlines in 2017. It would appear that Calisto is distributed via a fake Intego Mac Internet Security X9 installer. This is similar to Proton’s delivery method in that the Trojan was distributed and installed at one stage via a fake Symantec app. The distribution was made possible by the malware authors creating a fake Symantec blog which was search engine optimized to direct traffic to it.

With the release of the Securing the Supply Chain report it has been shown that supply chain attacks are increasing in popularity. The survey conducted by CrowdStrike further showed that organizations increasingly have to deal with cyber attacks targeting the software supply chain and in many cases, they are not adequately prepared to respond to such incidents. Such an attack can be defined as the illegitimate compromising of software code through cyber attacks, insider threats, and other close access activities at any phase of the supply chain to infect an unsuspecting customer. In the past, they have also been called value-chain or third-party attacks and can commonly occur when someone infiltrates your system through an outside partner or provider with access to your systems and data.

The world is often a funny place at the best of times. The recent Twitter rant, that did not involve President Trump for a change but rather this platform and service it provides, proves this planet is a tad absurd. Notwithstanding the Twitter rant by a malware developer stating that this platform falsely accused the developer of being a scammer, the incident does raise a very important question. That being, should you ever pay the ransom if you’ve become a victim of ransomware?

Before that question is answered the details of the aforementioned rant should be discussed. King Ouroboros, the developer or group of developers behind the King Ouroboros Ransomware, went to Twitter in an attempt to right a much perceived wrong. In the Twitter post, King Ouroboros attempts to set the record straight by stating that individual or group are not scammers. This appears to be in response to a ransomware removal guide published on this platform. The intention of the published piece is to assist those infected with the ransomware by removing it from the infected system. In the guide victims are advised, “Research shows that ransomware developers are likely to ignore victims, once payments are submitted. Therefore, paying typically gives no positive result and users are scammed.”

Becoming a victim of a scam or hack is certainly a dent to one's ego. When the losses are tallied up you may wish it was just your ego that was bruised rather than your bank balance. On July 12, 2018, the Federal Bureau of Investigation (FBI) issued a public service announcement revealing the losses and potential losses caused by business email compromise (BEC) and email account compromise (EAC). According to the FBI, the total loss and potential loss amounted to over 12 billion USD between October 2013 and May 2018. The amount was calculated by including money that was actually lost by victims and money they could have lost if they had fallen for the scam. A BEC is a type of phishing attack where a cybercriminal impersonates an executive, often a CEO, and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher. Unlike traditional phishing attacks, which target a large number of individuals across a company, BEC attacks are highly targeted and focussed. Cybercriminals will scrape compromised email inboxes, study recent company news, and research employees on social media sites in order to make these email attacks look as convincing as possible. This high level of targeting helps these email scams to slip through spam filters and evade email whitelisting campaigns. This making it far harder for employees to decide whether the email is legitimate or not.

Security firm McAfee recently discovered a hacker offering access to a machine at an international airport for the low price of only 10 USD. This was of course discovered on the Dark Web, that cesspit of immoral behavior. Access to the machine would be granted via Remote Desktop Protocol (RDP) which is fast becoming a favored method the popular delivery method for many malware types. RDP is a proprietary Microsoft protocol that provides access to remote machines through a graphical interface. It was initially designed for administration purposes, but cybercriminals are increasingly using it as part of their arsenal of attack tools. Cybercriminals are known to subvert legitimate tools for their own purposes and their use of RDP is no different.