Internet threat news

In a few days after the publication of an article on how malware authors are adapting ransomware in more targeted attacks, another ransomware family also changes with the times. This time the Rakhni ransomware has changed, yet again, but this time it includes a coin miner. While numerous other ransomware strains picked up a lot of media attention, be they Locky or Cerber, Rakhni has kept a far lower profile. Despite the low profile it continued to be changed and adapted for certain other tasks the malware authors deem appropriate.

With WannaCry, NotPetya, and Bad Rabbit outbreaks making international headlines 2017 was often referred to as the year of ransomware. The term ransomware was discussed around offices and lectures halls. For a period it was deemed to be enemy number one within the InfoSec community. A year is a long time in digital terms and ransomware may no longer hold that notorious spot any longer. 2018 may be the year of crypto miners, with such attacks been the most detected by security firms including Imperva. Although ransomware may be dethroned is it truly on the way out? Or has it adapted and evolved?

For a period of time ransomware made a real nuisance of itself, particularly for industry and companies. Locky ransomware caused major disruptions at a hospital while the Cerber ransomware was offered by enterprising individuals as a “Ransomware as a Service (RaaS).” Despite these incidents, ransomware detections by security firms decreased steadily. This decline has been so significant that it led those working at Kaspersky Labs to state the threat was “rapidly vanishing.” In a report published by the firm, analysts noticed a 30 percent decline in ransomware attacks between April 2017 and March 2018 compared with the same period the previous year.

Hackers are a notoriously cunning bunch. They will exploit anything and everything in order to make some quick but illegally money. The higher the potential payday for hacker or scammer the more likely whatever it is, is likely a target. Over the past couple of days, two instances of hackers targeting users’ cryptocurrency wallets were uncovered. In the first instance employees of the Trezor multi-cryptocurrency wallet service discovered a phishing attack against some of its users. The second recent case of user’s wallets been targeted involves a piece of malware which monitors the targets clipboard. This is done as many cryptocurrency wallets have long and hard to remember addresses meaning users often copy and paste the relevant wallet address.

The company released a statement on Sunday, July 1, 2018 warning users of the attempted phishing attack. According to the statement the phishing attack is believed to be an instance of “DNS Poisoning”. This technique involves hackers hijacking legitimate traffic to the targeted website. The traffic is then redirected to a malicious server hosting a fake website.  The incident came to light when users began complaining that they encountered an invalid HTTPS certificate when landing on the assumed legitimate Trezor's web wallet portal. Generally, an invalid certificate would mean that the website on which users landed was not the actual portal, but someone posing as the Trezor. The certificate is deemed invalid since the fake website is unable to pass verification tests to determine if it is the legitimate website portal.

Security researchers are seeing an increase in the Distributed Denial of Service (DDoS) attacks which abuse the Universal Plug and Play (UPnP) features of home routers. This new technique makes it harder to detect such attacks and it makes them harder to mitigate as an added bonus for attackers. Researchers at Imperva were the first to detail such attacks which they witnessed occurring last month. It was predicted then that this new technique of UPnP port masking would become popular amongst those looking to carry out a DDoS attack.

A DDoS attack can be seen as an attack which utilizes incoming traffic to flood the victim or target with the intention of temporarily or indefinitely disrupting services of a host connected to the Internet. A hallmark of DDoS is that the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source. The UPnP features of home routers allow for network devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment as well as many other services that make sharing incredibly convenient. UPnP is intended primarily for home networks rather than enterprise networks.

While the world collectively experiences football fever and only wants to read stories about Kane, Messi, and Ronaldo all else seems to take a back seat. However, despite our attention been elsewhere the world still turns. An example of this can be seen in recent accusations leveled at security firm, FireEye. The Firm has been accused of illegally "hacking back" a Chinese nation-state cyber-espionage group. The accusations and inevitable social media discussions began after the release of “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” a book written by David Sanger, a renowned New York Times national security journalist.

In 2013, FireEye published a report called “APT1, Exposing One of China’s Cyber Espionage Units.” The report was seen as a revelation in the InfoSec community and is mentioned with the same reverence English academic have for the collected works of Shakespeare. The fabled report exposed the activities of Chinese hackers in a depth of details like never before, even going as far as pinning the hacking on Unit 61398 of China's People’s Liberation Army (PLA). Unit 61398 would earn the name APT1, earning the designation of 1 amongst an estimated 20 other advanced persistent threat groups (APT) believed to be operating out China.

In a recent report published by cybersecurity firm Symantec, detail of a new advanced persistent threat (APT) group targeting satellite and defense companies have been revealed to the public. An APT can be seen as a set of stealthy and continuous computer hacking processes. In general APT processes require a high degree of covertness over a long period of time. The “advanced” process signifies the sophisticated techniques using malware to exploit vulnerabilities in systems. The “persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “threat” process indicates human involvement in orchestrating the attack. Symantec having tracking and investigating the group since 2013 and have decided to call the group in question “Thrip”.

In the murky world of cyber espionage researchers have noticed groups adopting “living off the land” tactics. Such tactics involve the use of operating system features or legitimate network administration tools to compromise victims’ networks. It would appear that these tactics are adopted for two reasons. Firstly, by using such features and tools, attackers are hoping to blend in on the victim’s network and hide their activity in a sea of legitimate processes allowing for the stealthy and continuous stealing of information. Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks. While many such groups are adopting these so-called “living off the land” tactics, Thrip is no different.

Europol along with French, UK, and Thai police arrested eight people suspected either to have been involved or to have been part of a now infamous hacker group known as Rex Mundi. Meaning king of the world in Latin, the group has been active since 2012. The group became particularly known for hacking into companies' networks, stealing private information, and later contacting the victims to request the payment of a ransom fee. The group was also known for demanding fees for not disclosing the hacks and sometimes also asked for higher sums of money for revealing the security flaw they used to enter the victim's network. This probably seemed like a nice thing to do by the group in light of making the life of a poor CIO hell for a period.

Europol released a statement detailing the international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT)  that started almost exactly one year ago. J-CAT whose responsibilities include combating cybercrime via a coordinated, international approach was launched in September 2014 and targets cybercrime, which includes other high tech crime and sexual exploitation of children, in the European Union and outside its borders.

Scammers, hacker, and cybercriminals have some tried and tested methods for targeting victims. An old classic that seems to never go out of style is the phishing email. News of a new scam seems to come around like clockwork. It would appear that no user no matter the platform or operating system is safe from scammers. While not necessarily a new scam, one scam, in particular, is plaguing Apple users. So much so that Apple released a statement to help users identify suspicious emails. At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving users into either clicking on a malicious link or downloading an infected attachment. This is often done to steal financial or confidential information.

The film industry loves to portray bank robbers as street smart criminals who plan audacious schemes to physically break into bank vaults. The reality as always it not so glamorous with more and more bank robberies been confined to the digital realm. News broke towards the end of May of an attempt to steal money during a hack of a Chilean bank. It was initially reported on May 24, by Banco De Chile that the bank had suffered an all-around systems failures that affected the computers at several of its branches. Various local news sources began reporting that the bank while maintaining online banking channels could not carry out in banking operations. Initially, the bank in question refused to call it a security incident, but in a subsequent announcement on May 28, Banco de Chile admitted to having been hit by "a virus."

Towards the end of May, we covered an article concerning APT28 and their potential involvement in the creation of VPNFilter. The group has earned notoriety stemming from multiple attacks and campaigns. The group also seems to be trying to break records for the most names; the group also goes by Sednit, Sofacy, Fancy Bear, Pawn Storm, and Tsar Team. The group who is widely believed to operate under orders from the Kremlin has typically operated by targeting a small number of users inside an organization, usually with the same exploit chain and the same malware. Researchers at Palo Alto believe the group is changing tactics to what they call “parallel attacks”.

In a report  recently published by security firm, Palo Alto details how they believe the group is in the process of changing and adapting new tactics to carry out cyber espionage operations. Researchers at Palo Alto have conducting intense analysis on the group dating back to February and March of this year. Part of the analysis has dealt specifically with analyzing a lesser known tool widely attributed to the APT28 group called Zebrocy. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments. Researcher’s track this now as the third campaign using the Zebrocy malware.

In recent months Tech Support Scams (for example: Microsoft Warning Alert, Do Not Ignore This Windows Alert, YOUR COMPUTER HAS BEEN BLOCKED) have seen a drastic rise in popularity. According to researchers at Microsoft the rise in such scams amounts to a 24% increase. The problem has even resulted in Microsoft teaming up with other industry giants to combat this scourge. While tech support scams, or put differently technical support scams, take on many guises the do have certain common traits that can be defined. Thus, any such scam involves the scammer claiming to offer a legitimate technical support service, often via cold calls to unsuspecting users. Such cold calls are mostly targeted at Microsoft Windows users, with the caller often claiming to represent a Microsoft technical support department but is not always the case.

On Monday, May 28, two Canadian banks revealed they had suffered cyber-attacks over the weekend. The two institutions, Simplii Financial and Bank of Montreal, both released statements confirming that they had been hacked. Later it was revealed that the hackers responsible are attempting to hold the data stolen from the banks for ransom. The hackers claim that they will release the personal information of 100,000 clients of the banks unless they receive 1 million USD worth of cryptocurrency.

Simplii Financial, which is a subsidiary of CIBC, one of Canada’s biggest financial institutions, released a statement on Monday confirming the incident which was discovered on the previous Sunday, In the statement it was confirmed that the hackers had managed to access and steal certain personal and account information for approximately 40,000 of Simplii's clients. Upon the discovery, Simplii moved to implement enhanced online fraud monitoring and online banking security measures. It also stated that it would be directly contacting all those affected. Michael Martin, the Senior Vice-President, wished to assure clients that, “We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” and, “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

Last week it was reported that it appeared that a Russian state-sponsored hacker group was potentially gearing up for an attack on Ukraine. Due to the work of numerous security researchers and the US Federal Bureau of Investigation (FBI) the attackers' plans were foiled somewhat. Such events will inevitably raise questions on how to sufficiently deal with such threats. These discussions, as with discussions surrounding conventional warfare, can tread some morally murky water. A UK official has sought to clarify that country’s position with regard to responding to cyber warfare. In a speech issued by Air Marshall Phil Osbourne look to present a possible solution for his countries defense. The position that could be adopted according to Air Marshall Osbourne should be, “…to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities.”

On May 23, 2018, researchers at Cisco Talos published a report detailing their discovery of a giant botnet of hacked routers that appears to be preparing for a cyber-attack on Ukraine. Researchers say that the botnet has been created by infecting home routers with a new malware strain named VPNFilter. It is widely believed within the InfoSec community and other nation states that Russia, in particular, the nation-state group APT28, are behind the botnet and malware creation. This has been done to target Ukraine according to experts.

According to Cisco, this new malware variant is incredibly complex, especially when compared with other IoT botnets. VPNFilter comes with support for boot persistence, only the second IoT malware to do so seen in the wild to do so, scanning for SCADA components, and a firmware wiper function to incapacitate affected devices. SCADA, or otherwise known as supervisory control and data acquisition, are commonly seen as control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management. All this is combined to assist in the management of industrial machinery and factory processes. Searching for and targeting such components has become a favorite of nation-state groups.